Backdoor Programs

Knifecollector

I ran my scan disk to check for viruses and it found a Backdoor program. It said it was a security risk. Anyone know what this is? Do I need to do anything about it or let it ride?

Gordian Blade

I don't think standard Microsoft ScanDisk effectively checks for viruses. Is that what you were running, or something else? What was the exact message to you? If you have a virus, you should get rid of it ASAP.

Knifecollector

I ran F-Pro Anti-Virus Program from Frisk Software International. I downloaded it from the web a couple weeks ago after I got the Klez and Elkern viruses. It seems like a very nice program that checks for viruses and other ailments. After it ran through everything it gave a report and said no virus found. One backdoor program found _ C:\Windows\system\kdll.dll. This is a security risk. Thats what it said. Any ideas on what to do now. Thanks.

Gordian Blade

I did some quick research on the net and found that kdll.dll is a secret keyboard logger that hackers use to catch everything you type (like passwords and credit card numbers), then their virus can email the stolen info to hotmail or other virtually anonymous email address. I don't think you need kdll.dll for any legitimate program. It could be that someone has put spyware on your computer to see if you are logging onto porno sites or whatever you shouldn't be doing.

In any case, I recommending finding kdll.dll on your computer (just use the find command on all local hard drives), copy it to a floppy (just in case it turns out you need it for something legit), delete it from your hard drive, and reboot.

PS -- If your computer complains when it starts that it is looking for kdll.dll, we'll take care of that also, it's a little trickier because there are several things to check. Just ignore the complaint for now.

Edited by - Gordian Blade on 06/06/2002 11:21:25

n/a

Did you do a complete recovery after you got hit with the virus?

Backdoor programs allow intruders to access your PC while online, steal your passwords, log your keystrokes and crash your computer. The intruder first has to trick a user into running the program on his PC. Normally this is done by sending the file by email, ICQ or IRC and asking the user to run it.


I would suggest you download The Cleaner, from cnet.com... it takes care of trojans.. which is a possiblity of you having now....If it comes up clean.. then download another virus protection.. after disabling the one you are using now..and running it.. some virus protection will not catch all of the virus, etc.. one very good one is Quick Heal...if both the cleaner and virus protection come up clean.. then I would suspect your virus protection is picking up some old files that were left over from the klez..

Gordian Blade

Good advice from BlackRoses, you should do that, but get rid of kdll.dll ASAP before doing any more net surfing. Personally, I recommend McAfee, but you have to pay for it.

n/a

Dont delete that file.. it could be needed for almost anything and you could freeze yourself or crash, or not be able to use the modem.. run the cleaner first..and the second virus protection..and make sure you can do a total recovery if you have too... all necessary disks for recovery?

Knifecollector

After I got the virus W32 Klez and W32 Elkern I downloaded several programs to find the viruses and clean up and restore everything. Disabling each one as I went along. I believe I will try to delete this file. If it is something I need can I just restore it later? I will run the cleaner Blackroses was telling me about first. I am just about out of my league on this one. I'm not what you would call a computer expert. Thanks.

n/a

If you didnt do a complete recovery after the virus hit you.. then its probably picking up old files... you are eventually going to have to do a complete recovery... its the only way to rid yourself of the virus completely..
If you cannot do one.. its rather easy to do but very time comsuming...then computer stores will do one for you.. backing up all files as well... for about 50 to 100 bucks...
That file is not one you would need, BUT.. once a trojan is in your comp it goes into every program you have.. that is how they find out where you are going.. and that is why I said not to delete it..You have no idea what program its into or what its doing.. Deleting it now could stop you from running.. I may not be making myself totally clear..but in some cases once a trojan is in your comp, you actually need the trojan to keep running..and deleting the file will crash you.. so use the cleaner.. it will isolate or clean the file for you

thesupermonkey

KnifeUser,
You've more than likely been infected by a variation of the Badtrans.A worm.

Check this out:
http://www.norman.com/virus_info/w32_badtrans_29090_mm.shtml

The article says the virus spreads through MAPI, so don't connect to the internet until you've straightened this out or it will attempt to mail itself to anyone in your address books.

The file 'kdll.dll' can be removed safely.

Hope this helps,

Ps. What's your field Roses?

Munkey


Don't worry about the bullet with your name on it, worry about the fragmentation grenade addressed 'To Occupant'.

Gordian Blade

I don't agree with Blackroses about leaving kdll.dll on. It is not a normal part of Windows, not having it will not prevent you from booting up. If you have to, you can copy it back from a floppy. I would not advise doing any more web surfing with that on your system. Free advice is worth what you paid for it, do as you think best. I still recommend McAfee, it's the best anti-virus I've found.

thesupermonkey

Gordian is correct, check out that article.

Don't worry about the bullet with your name on it, worry about the fragmentation grenade addressed 'To Occupant'.

He Dog

If he is posting here, he is already on the internet, right?

Big Sky Redneck

KDLL.DLL is not a valid system file, a .dll is an application extension that works like a driver to another program. If you have a .dll that you don't know what it's to, leave it alone. A piece of legitamate software could have placed it in your system.

As far as viruses, alot of the modern viruses have been written to survive formats, what they do is infect the Master Boot Record and that ALWAYS survives a format, system restore is a joke at this point. They also infect your firmware and when they do that you now need to step into geekdom to fix it. My advise to you is if you feel you have a Trojan Horse or another piece of spyware on your system, take it to a REPUTABLE tech and ask him to do a complete nuke and rewrite the firmware in your drives. I got a bad one last year that would fill up my hard drives with .jpgs, it looked for every picture I had on here and multiplied them like rabbits, it took me a week to finally get rid of it. I did several format c:s on it and each time I did that the virus came back. I would up doing low level formats which write 0s to the entire drive and restores it to new condition. I also had to rewrite the firmware on ALL my removable disk drives. These viruses are nothing to be messed with and 99.9% of all the old school fixes DO NOT WORK ON THEM, now there are some viruses that can be removed but the sofisticated ones dig in to the system far worse than a good dose of crotch crabs and need to be dealt with very aggressive means to rid them of your system.

Once again that kdll.dll is not a windows system file, it is in there from another app, now if it is indeed a virus file, you need to find what put it there, if you delete it and it is a virus, it will come back again and again and again. If it belongs to a ligit program, the program may not run again. Before you go messing with .dlls you need to know what the heck you are doing in there.

thesupermonkey

He Dogg, thanks for making me feel like an idiot

Don't worry about the bullet with your name on it, worry about the fragmentation grenade addressed 'To Occupant'.

n/a

A master boot record doesnt always survive the reformat..it all depends on how you take it down to do the recovery... When I was hit with the klez(sounds like some sort of STD) *L*.. a recovery took care of it.. but with others I have done, they had to be taken down in dos, and rebooted from a boot disk on floppy..
Couldnt agree more with you about the dll file.. leave it alone till you know for sure...

Just my opinion

thesupermonkey

LOOK AT ME, LOOK AT ME, LOOK AT ME NOTE----> !!!!!CHECK THIS OUT!!!!!

simonbs

Did somebody hear sumpthin? Sounds faintly like a monkey

---

I'm not afraid of the dark...the dark is afraid of me!

Big Sky Redneck

There are only 2 ways to wipe put the MBR, one is using FDISK and the other is the low level format. Also a format off the floppy in DOS does not erase the drive, anything on the hard disk can be mirrored after using the DOS format.
One thing you can do to try and keep an eye on the MBR is when you are booting the computer go into setup, under advanced cmos you can set the audible alarm to sound off when something writes to the MBR, this will give you advance warning that you have been hit and will allow you take take appropriate action to stop the virus.

n/a

Perhaps you should read all of the link, monkey

n/a

FDISK... DUHHHHHHHHHHHHHHHHHHHHHHHHHHH!!!!!!!!!!!!

Big Sky Redneck

I forgot to add, alot of the store bought systems will not allow you into setup or change any CMOS settings, therefore leaving you at the mercy of 1-800-dial-ageek. This is one of the biggest reasons I detest store bought machines, they are designed so that when you have a system problem you need to send it back to them or a tech to work on it, heck some manufacturers won't even give you the windows cd forcing you to rely on them to fix the machine. Last week I fixed a HP Pavilion for a person who corrupted windows so bad it would not boot, HP wanted him to send the computer in to be fixed, what a friggin joke! I Redid the FAT table and put windows in for him after he spent $200 for a windows disk, HP WOULDNT GIVE HIM THE OS DISK!!

GHD just had to send his computer away to get it fixed, he was out for a couple weeks. Yep, big time fancy store bought computers for you.

22WRF

Anti virus won't detect or stop a backdoor.
They come thru open ports, Need Norton Security.
Check you Security here and there are some free programs here to help you.
http://grc.com/default.htm

I Refuse to be a VictimGrumpy old man

Big Sky Redneck

Blackroses, not everybody uses FDISK to format, when you use FDISK you need to understand all the drive types and assign each and every drive, you need to assign partitions and it is a very long and tedious process. Much faster to use a DOS program call ULTIMATE BOOT DISK or MAXBLAST if you are going that deep into it.

When you do a windows format from the boot floppy in DOS it DOES NOT TOUCH THE MBR. If the MBR is to be rewrote you need to type in FDISK MBR and let it run, IT IS NOT PART OF THE FORMAT.

but then again, I don't know anything about comps. Gee, I wonder who put these comps together I have here and who set up my local intranet here in the house?HMM.

I do have a question for anybody familiar with networking regarding NETBEUI.

n/a

I do understand them. I have done them, and maybe where I come from a boot disk is something different than what is termed down here. And I do apologise for sounding like a complete jacka**.....
I was NOT treated with any, shall we say, decency when I was taking my courses... none of the females were, and I started to see a bit of it here.. Everyone has a different way of formatting.. doing recoveries..etc. but if the end result is the same..and that is a 100% computer.. then so be it...and yes.. some of the terminology is a bit different as well..
I have never seen a company not give disks when a comp is purchased, but again.. things are different here.. Please accept my apologies 7mm.. its a bit of a trying time right now...

Knifecollector

I want to thank each one who replied and helped me with my computer. I believe everything is alright now. I downloaded several programs to find , and clean up the problem. My knowledge of computers is very limited, so I appreciate all the help. I did learn that I have an open port # 139 that may require attention, I'll check into that later. I think the orginal problem was a bad transmission bug but I'm not sure. It seems to be gone now. Thanks again to everyone that helped. Robbie.

BlueTic

Get your favorite anti-virus software, security software, harddrive and floppys. Put them in a visible location that has a good solid backdrop. Go to your closet and get your favorite shotgun and pistol.
Load your software and boot your computer. I would suggest you do log on to the internet. Once the little worm has a bite of the bait, load your shotgun and aim at a point midway down your cpu (you don't want to just wound it). Now 3 quik rounds into the CPU and then get the pistol and blow away the rest, Yes - even the monitor and speakers. This will most deffinately cure the problem. Hell you needed to upgrade by now anyway......

IF YOU DON'T LIKE MY RIGHTS - GET OUT OF MY COUNTRY (this includes politicians)