Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Looks like a trojan infection


  • Please log in to reply
5 replies to this topic

#1 funnytim

funnytim

  • Members
  • 624 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:35 PM

Posted 22 November 2008 - 10:06 PM

Hey everyone,

I am helping a friend with her computer. Apparantely her facebook has "done stuff" that she didn't do on it, which probably seems to lead to a infection problem.

When I asked her to run a anti-malware scan, the scan " found some worms (about 5000!) ", using http://housecall.trendmicro.com . Also, she used her copy of Spyware Terminator, which found and cleaned "a Trojan Horse, the kind that hackers use to controll your computer and the passwords (according to the Terminator). "

Some repeated scans I asked her to do sometimes resulted in the trojan still being there, which she said she deleted manually. However I have my doubts if the trojan is really actually completely gone, because later on she said that trojans have re-appeared:

Actually I had to reboot anyway, yesterday I found about 30 Trojans, and it was really bad. I found another one after the reinstall, deleted it, now, it looks like the whole comp is clean. I don't understand the quantity of the Trojans,


in the last few days I found 5 more trojans, I think they must replicate or something...my facebook page seems to be ok, however sometimes some old news still slip in.



She also tried this:

yesterday I found about 30 Trojans, and it was really bad. I found another one after the reinstall, deleted it, now, it looks like the whole comp is clean. I don't understand the quantity of the Trojans,



According to her she even tried a clean install of Windows:

Yes, I did a clean install, everything was erased, but I copied some of my stuff from disc C onto the disc D, some movies and stuff like that. After reinstall I found another trojan, but i erased it and since then the comp is clean (according to my antivirus).

But I found more strange things, for example I was chatting with my friend over the msn (the netstat was running at the time) and I could see his ip address despite the fact that no files were transferred (actually I'm not able to send him anything, file transferring is blocked on my msn for i don't know what reasons, we've tried it a few times long time ago), we were really just chatting, and his ip address was using a quite weird port number: 35631.


It seems like after trojans are found & deleted, more reappear on a later scan.


Lastly, she mentioned she found

port 139, netbios ssn... [she] found [it] among the active ports and according google it doesn't mean anything good.



So...any suggestions on how to clean this up?

Thanks in advance!

BC AdBot (Login to Remove)

 


#2 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 23 November 2008 - 10:29 AM

What is the OS please ?

Yes, I did a clean install, everything was erased, but I copied some of my stuff from disc C onto the disc D, some movies and stuff like that.


My reading of that makes me suspect she did not ensure that these items were infection -free when she transfered them, and she has then put them back on her apparently 'clean ' machine and promptly re-infected herself?

Does she need anything from that computer or can she get it from elsewhere as I suspect she may be best off with a complete reformat and reinstall ; I know it is asking the hopefully obvious but did she use a legit CD with her licence key to do this ?

Also, she used her copy of Spyware Terminator, which found and cleaned "a Trojan Horse, the kind that hackers use to controll your computer and the passwords (according to the Terminator). "


Does she do any on -line banking etc ?

If so ,if she even suspects she HAS been the recipent OF such an infection she would be well advised to change ALL her passwords etc on a known CLEAN computer and NOT on that one ; please let us know?

And to state the hopefully obvious she is NOT using MSN is she while this is going on?

Also; how you YOU communicating with her as you TOO may get infected if this is by e mail

Also; please be advised that Facebook has recently suffered an infection ; (at work we are forbidden to access the site and it has been blocked )

#3 funnytim

funnytim
  • Topic Starter

  • Members
  • 624 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:35 PM

Posted 25 November 2008 - 01:44 AM

Hey, thanks for the reply.

In regards to how I'm communicating with her, it is through a forum I made. However she said she is using msn.

Also,

I'm using Windows XP, it is of course legit, but it's not from cd, the restoration is carried out from the computer, I think it's called factory restoration, I'm not sure, but I think that is what might have happened, the trojans I've found after the restoration were on disc D, the one that remained untouched (and I transferred some movies from C to D)...


I asked her about "important" sites such as online banking, and this was her reply:

Yes, I have internet banking, but everything's fine, my money is still there....I'll try to change all my passwords on a different computer, but I'm not sure if I can change the one with the online banking, I think I got that one from the bank.


Also more trojans have appeared again:

.I found about 4-5 trojans in the last few days, I downloaded the Kaspersky lab antivirus and it detected a keylogger activity, but didn' t terminated it, but I'm not really sure if this even was a real threat, because the according to kaspersky the keylogger was my acer arcade.


Many thanks for your continued help ;)

#4 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 25 November 2008 - 06:55 AM

but I'm not sure if I can change the one with the online banking, I think I got that one from the bank

.

She should be able to change that on a NON infected computer but, while she continues to run the infected one she is compromising herself and spreading the infection to anyone with whom she msn's ; she ought to stop that and advise ALL her contacts to check their machines THOROUGHLY for infections.



you might wish to ask her what method she used to clean the Windows and reinstall it?
any of these ?
http://h10025.www1.hp.com/ewfrf/wc/documen...cname=bph07145??

I suspect she manged to reinfect herself from the stored 'infected' data which she promptly reisntalled :thumbsup:

#5 funnytim

funnytim
  • Topic Starter

  • Members
  • 624 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:35 PM

Posted 25 November 2008 - 11:30 AM

I've asked her about the her method of installing, however the link you sent me doesn't seem to work...?

I restored my system's factory default configuration and the trojans were in the backup files which the erecovery created before the restoration.


Edited by funnytim, 25 November 2008 - 02:31 PM.


#6 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 25 November 2008 - 04:12 PM

my link DID work but now embassassingly does not now and I cannot as yet locate it even on a long search :thumbsup:

(still searching here ....)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users