Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor.Trojan?


  • This topic is locked This topic is locked
7 replies to this topic

#1 killragtshirts

killragtshirts

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 18 February 2009 - 01:05 AM

Hi,

I am totally new to this site but have been reading a little bit through a few posts.

I have come across two machines yesterday that were infected with a Trojan and/or Malware .

The machines infected all showed similar behaviour. Task Manager would flash on the desktop but would not open completely and a popup kept saying to install a language pack. The mouse and keyboard cursor was jumping around the screen.

When I booted up into Safe mode it was all OK. I ran a Scan with Symantec Corporate 10.2 and it picked up some infected files with the names Backdoor.Trojan. I went to Symantec site and ran all the Backdoor removal software. No viruses were found.

I installed and ran MBam which picked up a trojan and deleted all infected entries that it found.

Still when I logged in again the behovior returned. Over the last 5 hours or so I tried the following applications ATF-CLeaner, CCleaer, Super Anti Spyware, RUbotted, Trojan Guarder, GMER, COMBOfix, Hitman Pro, Winsockfix, was watching unusual traffic go back to Singapore and beyond using Wireshark.

In the end I used Hijackthis to create a log and manually go through all the entries that looked suspicious. Processors were infected, .exe files found in C:\windows, C:\windows\System32, C:Program Files, services were added, registry was completely infected....Basically the machine was a mess.....

After manually deleting the services, removing the .exe's from Program Files and System Files etc the machine seems to be stable...However I am still going to blow it away as I just wanted to learn more about this infection.

I have attached the Hijackthis log..I understand this is not the proper software to run and attach however the machine seems to be clean now so i dont want to waste anyones time running more software and posting results when it might not show teh complete picture......

I would be very gratefull thought if someone could please tell me what infected my machine and is there any software dedicated to removing this Trojan/Virus/Malware etc?


Many THanks for your help

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:12:15 AM

Posted 01 March 2009 - 01:44 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 killragtshirts

killragtshirts
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 05 March 2009 - 10:26 PM

Hi,

Thanks for the reply...Sorry mine was late...Been on holis...

required info Attached....

Attached Files



#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:15 AM

Posted 09 March 2009 - 11:17 AM

Hi,


Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:
  • Run Spybot-S&D in Advanced Mode
  • If it is not already set to do this, go to the Mode menu
    select
    Advanced Mode
  • On the left hand side, click on Tools
  • Then click on the Resident icon in the list
  • Uncheck
    Resident TeaTimer
    and OK any prompts.
  • Restart your computer


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds.txt log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 killragtshirts

killragtshirts
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 10 March 2009 - 11:01 PM

Hi,

Managed to get this log...As soon as the machine connects to the net to grab the recovery console it starts trying to load a language pack and pretty much is unworkable...


Hope this helps..please let me know if i need to try again...

Attached Files



#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:15 AM

Posted 11 March 2009 - 09:55 AM

Hi again,

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Please post contents of that file in your next reply.
After that re-run ComboFix and post back its report & a fresh dds.txt log (re-run DDS to create one).

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 killragtshirts

killragtshirts
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 16 March 2009 - 05:10 PM

Hi,

I am very sorry about this but my collegue rebuilt the infected laptop that I was using as a test.

Thanks very much for all your help.

You can now close this call.

#8 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:15 AM

Posted 17 March 2009 - 10:48 AM

Thanks for letting us know. Topic closed.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users