Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor.win32.wootbot


  • Please log in to reply
18 replies to this topic

#1 swas

swas

  • Members
  • 149 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 23 February 2008 - 05:00 PM

Hi everyone, A squared during a routine scan last night found Backdoor.Win32.Wootbot. Is there a good way to clean this or should I post a full HJT log?? and is there anyway to find out how it got installed on the computer??

thanks
How beautiful it is to do nothing, and then rest afterward

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:05 AM

Posted 23 February 2008 - 10:52 PM

Did A squared provide a specific file name associated with this malware threat and if so, where is it located (full file path) at on your system? If the scan saved a log file, it should show exactly what and where the malware was found so post that instead.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 swas

swas
  • Topic Starter

  • Members
  • 149 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 23 February 2008 - 11:01 PM

Hi quietman, Unfortunately in my haste I deleted the file without getting the location. In the a squared folder it doesn't show any scan logs, so I'm not sure where else they might be. I did run a scan with AVG antivirus and it didn't show anything. What other steps would you recommend? Trend micro house call did identify something called TSPY_ANALOGXPROXY if that helps any.

thanks

Edited by swas, 23 February 2008 - 11:17 PM.

How beautiful it is to do nothing, and then rest afterward

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:05 AM

Posted 24 February 2008 - 07:22 AM

If the file was deleted did you rescan with a squared to see if it had returned? samx.exe is the file name identified by Symantec and this malware copies itself to the system32 folder.

Backdoor Trojans, IRCBots and Infostealers are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge. Read the Danger: Remote Access Trojans.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

Although the backdoor Trojan was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the backdoor Trojan has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS. Please read "When should I re-format?".

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, please do the following.

Please print out and follow the instructions for using SDFix in BC's self-help tutorial "How to use SDFix".
-- When using this tool, you must use the Administrator's account or an account with "Administrative rights"
When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt. Please copy and paste the contents of Report.txt in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 swas

swas
  • Topic Starter

  • Members
  • 149 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 24 February 2008 - 05:11 PM

Hi quietman, For some reason I've been unable to get SDfix to work on my computer. I can get the small dialog box to run for a split second, and then it goes away. I've tried installing it and running it in compatibility mode for xp service pack 2, but get the same results. I'm not sure what else to try with it. I did run asquared and housecall again, and both showed clear. I've also run AVG av, AVG anti spyware, super antispyware, Dr.Web cure it, spybot s&d, and they all showed clear. I'm not sure if it is gone, that just seemed a little too easy to remove to me. Would you think that everything is clear, or go ahead and reformat? Thank you
How beautiful it is to do nothing, and then rest afterward

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,404 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:05 AM

Posted 24 February 2008 - 08:06 PM

here is my opinion and you can wait a bit for Q7's
From post #4

Although the backdoor Trojan was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the backdoor Trojan has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS. Please read "When should I re-format?".


To me it may be Ok to keep using as is,but that really depends on what you use the machine for now and plan in the furure. If you plan to NEVER use any finacials,passwords,online ordering and NEVER will on this machine then that's the chance you will take.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:05 AM

Posted 24 February 2008 - 10:50 PM

Are you running SDFix from an "Administrator Account" or an "account with administrator privileges"?

If not, please do so, If you are, then try running SDFix in normal mode just to see if its working. If it works in normal mode, type U to update and follow the prompts so you can get a fresh download in case the file was corrupted and try running it again in safe mode. If it still doesn't work in safe mode, run SDFix in normal mode again, type S then press Enter so it will change to the safe mode screen. Then type Y to start.

If that fails, then its possible find.exe is missing from you system32 folder. If that's the case, the fix cannot verify it is running on XP and that would make it quit.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 swas

swas
  • Topic Starter

  • Members
  • 149 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 25 February 2008 - 01:14 AM

I've tried downloading again and reinstalling, but I can't get SDfix to work. The only account on the computer is administrator. It might not be compatible with vista maybe? I tried all of the troubleshooting tips that were included in the link you provided, but that didn't work either. Is there anything else to try, or just reformat. I did run f-secure's wootbot cleaning tool. http://www.f-secure.com/v-descs/wootbot.shtml. not sure how good that is, but it came up clean also. Thanks again for the help
How beautiful it is to do nothing, and then rest afterward

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:05 AM

Posted 25 February 2008 - 08:46 AM

SDFix works on WIN XP and 2000. I did not realize you have Vista or I would not have asked you to use it. My intent with SDFix was to double-check for other possible malware.

F-Secure's cleaning tool is good. The fact that it came back clean indicates the malware has been successfully removed. If your not having further problems or signs of infection, then we probably have cleaned your system the best we can.

Is there anything else to try, or just reformat.

Your decision as to what action to take should be made by asking yourself the questions presented in the "When should I re-format?" link. Reformatting and doing a clean install of the OS is the safest action but I cannot make that decision for you.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 swas

swas
  • Topic Starter

  • Members
  • 149 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 25 February 2008 - 04:26 PM

Sorry for the confusion, I should have told you that I have vista. I'm not experiencing any problems that I have noticed, but I think I'll go ahead and reformat just to be on the safe side. It's not that big of a deal just takes a few hours to get all the programs and settings that I like. I do have a couple more questions if you don't mind. Is this trojan something that has to be installed with an .exe file? from an e-mail maybe? or can you be infected just by visiting a website? and do you know of a vista compatible program that shows all open ports on a computer?.
How beautiful it is to do nothing, and then rest afterward

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:05 AM

Posted 26 February 2008 - 08:42 AM

That's the decision I would have made if this were my system.

Some types of malware can result in a system so badly damaged that a Repair Install will NOT help!. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Starting over, reformatting the drive and performing a clean install of the OS removes everything and is the safest action.

do you know of a vista compatible program that shows all open ports on a computer?.

CurrPorts

Information on Backdoor.win32.wootbot and Wootbot infections.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 swas

swas
  • Topic Starter

  • Members
  • 149 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 26 February 2008 - 01:02 PM

Thank you again what do I need to do to reinstall windows? I can save my files on a dvd. Please tell me how to wipe the hard drive. Is there any difference if I am running vista?

Thanks again for the links
How beautiful it is to do nothing, and then rest afterward

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:05 AM

Posted 26 February 2008 - 01:12 PM

I don't use Vista and have never had the chance to play with it. Just start a new topic in the Windows Vista forum. We have members who have gone through this procedure before who can provide the assistance you require.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 swas

swas
  • Topic Starter

  • Members
  • 149 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 26 February 2008 - 01:33 PM

Ok I will ask on that forum. Is there a way that a back door trojan can open a port even if there is a firewall?? Sorry for the questions just trying to learn. Thanks to you and others on this forum I have never had any malware, for two years . until I allowed one of my friends to use my computer, and he manged to get the most dangerous type of malware you can possibly be infected with. :thumbsup: You live you learn I guess
How beautiful it is to do nothing, and then rest afterward

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:05 AM

Posted 26 February 2008 - 01:44 PM

Trojans FAQs
Trojan Programs
What is a backdoor trojan?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users