Options
Help needed: Backdoor-BDD on win98
Hi people,
Firstly thanks for this great resource. This seems to be the only place on the web for good Backdoor-BDD removal information.
Which brings me to my problem. My sister's pc is running win98 and is infected with Backdoor-BDD. I have run Adaware and Spybot Search and destroy. Both found and fixed many problems. Then I ran Mcaffe VirusScan (v4.5.1). It has fixed several problems as well. It recognizes the Backdoor-BDD, but is unable to clean or delete the files. The Mcaffee forums (as well as google) pointed me to this site for more help.
I have run Hijack. Its results are pasted below. Any help or advice is greatly appreciated.
Hijack results:
Logfile of HijackThis v1.99.0
Scan saved at 9:21:57 AM, on 1/17/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SDKFY.EXE
C:\WINDOWS\SYSTEM\ATLYB32.EXE
C:\WINDOWS\SYSTEM\WINAR.EXE
C:\WINDOWS\SYSTEM\GRXP4EXE.EXE
C:\WINDOWS\SYSTEM\NETDY.EXE
C:\WINDOWS\SYSTEM\D3WY32.EXE
C:\WINDOWS\SYSTEM\CREI.EXE
C:\WINDOWS\SDKMN.EXE
C:\WINDOWS\SYSTEM\IPJS32.EXE
C:\WINDOWS\SYSTEM\CRNM.EXE
C:\WINDOWS\SYSTEM\IPBI32.EXE
C:\WINDOWS\SYSTEM\SDKMJ32.EXE
C:\WINDOWS\SYSTEM\MSWL32.EXE
C:\WINDOWS\NETBS32.EXE
C:\WINDOWS\SYSTEM\IEEX.EXE
C:\WINDOWS\SYSTEM\D3DW.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\SYSTEM\D3EO32.EXE
C:\WINDOWS\CRHJ32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\WEBSCANX.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\PDESK\PDESK.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\WINDOWS\SYSTEM\HPHMON03.EXE
D:\HEWLETT-PACKARD\PHOTOSMART\PHOTO IMAGING\HPI_MONITOR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\LOGITECH\WINGMAN SOFTWARE\LWEMON.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\DESKTOP\HIJACK THIS\HIJACKTHIS.EXE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\fxcdi.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\fxcdi.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {CE95AF00-D877-9322-A733-DBFBF7402B6F} - C:\WINDOWS\WINLX.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\SYSTEM\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\SYSTEM\HPHMON03.EXE
O4 - HKLM\..\Run: [CXMon] "d:\...\hewlett-packard\photosmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\RunServices: [WINAM32.EXE] C:\WINDOWS\WINAM32.EXE
O4 - HKLM\..\RunServices: [APPYV.EXE] C:\WINDOWS\SYSTEM\APPYV.EXE
O4 - HKLM\..\RunServices: [CRKO.EXE] C:\WINDOWS\SYSTEM\CRKO.EXE
O4 - HKLM\..\RunServices: [MSNH32.EXE] C:\WINDOWS\SYSTEM\MSNH32.EXE
O4 - HKLM\..\RunServices: [NTPY32.EXE] C:\WINDOWS\SYSTEM\NTPY32.EXE
O4 - HKLM\..\RunServices: [SDKPZ32.EXE] C:\WINDOWS\SYSTEM\SDKPZ32.EXE
O4 - HKLM\..\RunServices: [IEBJ32.EXE] C:\WINDOWS\SYSTEM\IEBJ32.EXE
O4 - HKLM\..\RunServices: [WINDA.EXE] C:\WINDOWS\SYSTEM\WINDA.EXE
O4 - HKLM\..\RunServices: [SDKFY.EXE] C:\WINDOWS\SYSTEM\SDKFY.EXE
O4 - HKLM\..\RunServices: [ATLYB32.EXE] C:\WINDOWS\SYSTEM\ATLYB32.EXE
O4 - HKLM\..\RunServices: [NETDY.EXE] C:\WINDOWS\SYSTEM\NETDY.EXE
O4 - HKLM\..\RunServices: [D3WY32.EXE] C:\WINDOWS\SYSTEM\D3WY32.EXE
O4 - HKLM\..\RunServices: [WINAR.EXE] C:\WINDOWS\SYSTEM\WINAR.EXE
O4 - HKLM\..\RunServices: [CREI.EXE] C:\WINDOWS\SYSTEM\CREI.EXE
O4 - HKLM\..\RunServices: [IPJS32.EXE] C:\WINDOWS\SYSTEM\IPJS32.EXE
O4 - HKLM\..\RunServices: [SDKMN.EXE] C:\WINDOWS\SDKMN.EXE
O4 - HKLM\..\RunServices: [IPBI32.EXE] C:\WINDOWS\SYSTEM\IPBI32.EXE
O4 - HKLM\..\RunServices: [CRNM.EXE] C:\WINDOWS\SYSTEM\CRNM.EXE
O4 - HKLM\..\RunServices: [SDKMJ32.EXE] C:\WINDOWS\SYSTEM\SDKMJ32.EXE
O4 - HKLM\..\RunServices: [MSWL32.EXE] C:\WINDOWS\SYSTEM\MSWL32.EXE
O4 - HKLM\..\RunServices: [NETBS32.EXE] C:\WINDOWS\NETBS32.EXE
O4 - HKLM\..\RunServices: [D3DW.EXE] C:\WINDOWS\SYSTEM\D3DW.EXE
O4 - HKLM\..\RunServices: [IEEX.EXE] C:\WINDOWS\SYSTEM\IEEX.EXE
O4 - HKLM\..\RunServices: [CRHJ32.EXE] C:\WINDOWS\CRHJ32.EXE
O4 - HKLM\..\RunServices: [D3EO32.EXE] C:\WINDOWS\SYSTEM\D3EO32.EXE
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\WingMan Software\lwtest.exe" /detect /quiet /launch "C:\Program Files\Logitech\WingMan Software\lwemon.exe /noui"
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - http://www.wildtangent.com/install/wdriver/driveway/microsoft/wtinst.cab
O16 - DPF: {C3498BF0-2C07-43C8-99D0-434B038334A6} (VDLaunch Class) - http://www.catharon.com/download/plugins/ievdl2.ocx
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www.priv.man.xmlsweb.com/XMLSearch/XMLCache.CAB
I hope the hijack results are formatted correctly and make sense.
Many thanks again.
ep2k
Firstly thanks for this great resource. This seems to be the only place on the web for good Backdoor-BDD removal information.
Which brings me to my problem. My sister's pc is running win98 and is infected with Backdoor-BDD. I have run Adaware and Spybot Search and destroy. Both found and fixed many problems. Then I ran Mcaffe VirusScan (v4.5.1). It has fixed several problems as well. It recognizes the Backdoor-BDD, but is unable to clean or delete the files. The Mcaffee forums (as well as google) pointed me to this site for more help.
I have run Hijack. Its results are pasted below. Any help or advice is greatly appreciated.
Hijack results:
Logfile of HijackThis v1.99.0
Scan saved at 9:21:57 AM, on 1/17/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SDKFY.EXE
C:\WINDOWS\SYSTEM\ATLYB32.EXE
C:\WINDOWS\SYSTEM\WINAR.EXE
C:\WINDOWS\SYSTEM\GRXP4EXE.EXE
C:\WINDOWS\SYSTEM\NETDY.EXE
C:\WINDOWS\SYSTEM\D3WY32.EXE
C:\WINDOWS\SYSTEM\CREI.EXE
C:\WINDOWS\SDKMN.EXE
C:\WINDOWS\SYSTEM\IPJS32.EXE
C:\WINDOWS\SYSTEM\CRNM.EXE
C:\WINDOWS\SYSTEM\IPBI32.EXE
C:\WINDOWS\SYSTEM\SDKMJ32.EXE
C:\WINDOWS\SYSTEM\MSWL32.EXE
C:\WINDOWS\NETBS32.EXE
C:\WINDOWS\SYSTEM\IEEX.EXE
C:\WINDOWS\SYSTEM\D3DW.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\SYSTEM\D3EO32.EXE
C:\WINDOWS\CRHJ32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\WEBSCANX.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\PDESK\PDESK.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\WINDOWS\SYSTEM\HPHMON03.EXE
D:\HEWLETT-PACKARD\PHOTOSMART\PHOTO IMAGING\HPI_MONITOR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\LOGITECH\WINGMAN SOFTWARE\LWEMON.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\DESKTOP\HIJACK THIS\HIJACKTHIS.EXE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\fxcdi.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\fxcdi.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {CE95AF00-D877-9322-A733-DBFBF7402B6F} - C:\WINDOWS\WINLX.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\SYSTEM\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\SYSTEM\HPHMON03.EXE
O4 - HKLM\..\Run: [CXMon] "d:\...\hewlett-packard\photosmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\RunServices: [WINAM32.EXE] C:\WINDOWS\WINAM32.EXE
O4 - HKLM\..\RunServices: [APPYV.EXE] C:\WINDOWS\SYSTEM\APPYV.EXE
O4 - HKLM\..\RunServices: [CRKO.EXE] C:\WINDOWS\SYSTEM\CRKO.EXE
O4 - HKLM\..\RunServices: [MSNH32.EXE] C:\WINDOWS\SYSTEM\MSNH32.EXE
O4 - HKLM\..\RunServices: [NTPY32.EXE] C:\WINDOWS\SYSTEM\NTPY32.EXE
O4 - HKLM\..\RunServices: [SDKPZ32.EXE] C:\WINDOWS\SYSTEM\SDKPZ32.EXE
O4 - HKLM\..\RunServices: [IEBJ32.EXE] C:\WINDOWS\SYSTEM\IEBJ32.EXE
O4 - HKLM\..\RunServices: [WINDA.EXE] C:\WINDOWS\SYSTEM\WINDA.EXE
O4 - HKLM\..\RunServices: [SDKFY.EXE] C:\WINDOWS\SYSTEM\SDKFY.EXE
O4 - HKLM\..\RunServices: [ATLYB32.EXE] C:\WINDOWS\SYSTEM\ATLYB32.EXE
O4 - HKLM\..\RunServices: [NETDY.EXE] C:\WINDOWS\SYSTEM\NETDY.EXE
O4 - HKLM\..\RunServices: [D3WY32.EXE] C:\WINDOWS\SYSTEM\D3WY32.EXE
O4 - HKLM\..\RunServices: [WINAR.EXE] C:\WINDOWS\SYSTEM\WINAR.EXE
O4 - HKLM\..\RunServices: [CREI.EXE] C:\WINDOWS\SYSTEM\CREI.EXE
O4 - HKLM\..\RunServices: [IPJS32.EXE] C:\WINDOWS\SYSTEM\IPJS32.EXE
O4 - HKLM\..\RunServices: [SDKMN.EXE] C:\WINDOWS\SDKMN.EXE
O4 - HKLM\..\RunServices: [IPBI32.EXE] C:\WINDOWS\SYSTEM\IPBI32.EXE
O4 - HKLM\..\RunServices: [CRNM.EXE] C:\WINDOWS\SYSTEM\CRNM.EXE
O4 - HKLM\..\RunServices: [SDKMJ32.EXE] C:\WINDOWS\SYSTEM\SDKMJ32.EXE
O4 - HKLM\..\RunServices: [MSWL32.EXE] C:\WINDOWS\SYSTEM\MSWL32.EXE
O4 - HKLM\..\RunServices: [NETBS32.EXE] C:\WINDOWS\NETBS32.EXE
O4 - HKLM\..\RunServices: [D3DW.EXE] C:\WINDOWS\SYSTEM\D3DW.EXE
O4 - HKLM\..\RunServices: [IEEX.EXE] C:\WINDOWS\SYSTEM\IEEX.EXE
O4 - HKLM\..\RunServices: [CRHJ32.EXE] C:\WINDOWS\CRHJ32.EXE
O4 - HKLM\..\RunServices: [D3EO32.EXE] C:\WINDOWS\SYSTEM\D3EO32.EXE
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\WingMan Software\lwtest.exe" /detect /quiet /launch "C:\Program Files\Logitech\WingMan Software\lwemon.exe /noui"
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - http://www.wildtangent.com/install/wdriver/driveway/microsoft/wtinst.cab
O16 - DPF: {C3498BF0-2C07-43C8-99D0-434B038334A6} (VDLaunch Class) - http://www.catharon.com/download/plugins/ievdl2.ocx
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www.priv.man.xmlsweb.com/XMLSearch/XMLCache.CAB
I hope the hijack results are formatted correctly and make sense.
Many thanks again.
ep2k
0