backdoor trojan

Printable View

July 23rd, 2004, 10:34 PM
oshal

backdoor trojan

hey, I'm coming back here, you guys helped me last time with the dso exploit and my about blank... still comes back once in a while though...

anyhow, I have this backdoor trojan but I have no idea how I got it. I didn't download any attachments recently or visit questionable homepages but somehow it infected my computer. I received the virus notification from my Symantec Antivirus Client. It can't remove it so I tried what they suggest on the Symantec support webpage. I booted into safe mode and ran a manual scan but it did not detect it in safe mode. This was rather annoying because I cannot seem to remove it in normal mode.

the file is specified as
C:\WINDOWS\SYSTEM32\wdml.dll

Thanks again
July 23rd, 2004, 11:16 PM
InTheWayBoy

Well if you know where it is, then just boot back into safe mode and manually delete then. What OS you running?
July 24th, 2004, 12:28 AM
mib

Quote:

Originally Posted by oshal

hey, I'm coming back here, you guys helped me last time with the dso exploit and my about blank... still comes back once in a while though...

anyhow, I have this backdoor trojan but I have no idea how I got it. I didn't download any attachments recently or visit questionable homepages but somehow it infected my computer. I received the virus notification from my Symantec Antivirus Client. It can't remove it so I tried what they suggest on the Symantec support webpage. I booted into safe mode and ran a manual scan but it did not detect it in safe mode. This was rather annoying because I cannot seem to remove it in normal mode.

the file is specified as
C:\WINDOWS\SYSTEM32\wdml.dll

Thanks again

In addition to InTheWayBoy's suggestion to delete the file, you might want to first go into REGEDIT, and do a search to verify if there are any entries there.

If you find the entry, note down the complete address and rename the value to WDML.Dxx, where xx can be any character except ll. Do not delete the entry yet. Save your changes, and reboot the PC.

If you do not receive any errors during the restart, then you may go back to REGEDIT, return to that address you noted down, and delete the entry. If you haven't done so yet, you may also delete the file physically from the C:\WINDOWS\SYSTEM32.
July 24th, 2004, 07:11 AM
NooNoo

And remember to turn off system restore... otherwise windows will helpfully put it back for you. Also check the dllcache folder under windows.
July 24th, 2004, 10:46 AM
oshal

not there

Symantec does not find it, and myself as well, because it apparently disappears in safe mode. I have checke in the file location several times and not found it , I actually tried that before I posted and thought that I may have just overlooked the file name. I am fairly certain that I haven't. Any other ideas, do you think it is hopefully just a benign file that antivirus client is listing as a virus?
July 24th, 2004, 12:04 PM
Atodini

If you can install your hard drive as a slave in another XP / 2K machine then the file will be visible in explorer and you can easily delete it (if Norton doesn't beat you to it!!).

Have had to do this many times recently on customer machines - "invisible" backdoor trojans are getting to be a nuisance.....

John
July 24th, 2004, 12:17 PM
oshal

I realize now that my previous posting might not have been very clear. The file names appears in the directory when I boot normally, but DOES NOT appear in safe mode. I don't think I have any problems really related to this virus, but I am not too knowledgeable when it comes to computer viruses. I don't notice any slowdown or browser problems. (hopefullly I am not speaking too soon about it) thanks. I hope that clarifies my situation for those of you that can help. I am using a laptop, and that slave drive bit seems like a hassle, is there a cleaner way without having to either reinstall all of my files or transfer my hard drive to another computer as Atodini suggested.
July 24th, 2004, 01:12 PM
Jeff the Brit

You may have your Explorer view settings set to default settings in safe mode. Click Tools - Folder Options - View and remove all the blinkers that Uncle Bill likes to put there to prevent you from seeing what's really on your drive.
July 24th, 2004, 06:13 PM
oshal

I changed my settings and the file was still not viewable under the same name.
July 24th, 2004, 09:24 PM
hudsonsmith

Have you tried stopping the process using task manager and deleting it in normal mode?
July 24th, 2004, 10:18 PM
oshal

hey guys, I appreciate everyone's help. I actually surfed the web for other forums discussing the topic as I think you probably would expect from a college student annoyed by an infected computer. I found this post quite helpful and it seems to have worked so far. I was able to delete the questionble file and my virus scans with symantec along with CWShredder, AdAware, and Spybot all came up clean. Someone had a similar problem and the techie seemed pretty knowledgeable, but most importantly he was extremely thorough.

http://www.mytechsupport.ca/support/...?TOPIC_ID=3887

Thanks again.
July 25th, 2004, 08:01 AM
NooNoo

Indeed s/he was, but then again, the poster did provide a full hijack this log which gives people alot more to go on. It is much easier to give a complete fix, when complete information is provided.