Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor.bot


  • This topic is locked This topic is locked
8 replies to this topic

#1 deathxcs

deathxcs

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:32 PM

Posted 13 October 2009 - 08:30 AM

Right, so recently I've had my accounts hacked in certain places (online games and such), and when I scanned my computer with Kaspersky, which I thought to be extremely reliable, it couldn't pick up anything. I recently used Malwarebytes' Anti-Malware, and this is the log I got:

Malwarebytes' Anti-Malware 1.41
Database version: 2953
Windows 5.1.2600 Service Pack 2

13/10/2009 13:23:52
mbam-log-2009-10-13 (13-23-52).txt

Scan type: Full Scan (C:\|)
Objects scanned: 173431
Time elapsed: 56 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{af2e62b6-f9e1-4d4f-a10a-9dc8e6dcbcc0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RPCHE (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Now, the thingsi t picked up were disabled.securitycenter, hijack.startmenu, adware.videoegg and backdoor.bot. I read here (http://www.bleepingcomputer.com/forums/topic222145.html) that 'Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS.'

I recently did another scan with Malwarebytes, and got this result:
Malwarebytes' Anti-Malware 1.41
Database version: 2953
Windows 5.1.2600 Service Pack 2

13/10/2009 14:23:39
mbam-log-2009-10-13 (14-23-39).txt

Scan type: Full Scan (C:\|)
Objects scanned: 173092
Time elapsed: 45 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Now, apparently everything is cleaned, but from the quote I posted, I am not sure whether to trust my PC anymore... would it be wise to reformat my PC?

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,604 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:32 PM

Posted 13 October 2009 - 10:15 AM

Your decision as to what action to take should be made by reading and asking yourself the questions presented in these articles:Backdoor Trojans, rootkits, Botnets and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used by the attacker for malicious purposes. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned, repaired or trusted especially if you are dealing with rootkit components that can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. The malware may leave so many remnants behind that security tools cannot find them and a Repair Install will NOT help!. Reinstalling Windows without first wiping the entire hard drive with a repartition/reformat will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Starting over by wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore with a vendor-specific Recovery Disk or Recovery Partition removes everything and is the safest action but I cannot make that decision for you.

Further, if your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information.

Edited by quietman7, 13 October 2009 - 10:19 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 deathxcs

deathxcs
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:32 PM

Posted 13 October 2009 - 11:04 AM

Ok, thanks for your help. You say that Reinstalling Windows without first wiping the entire hard drive with a reformat won't remove the infection. But I am not sure how to reformat properly to remove the infection... I am new to this sort of stuff. Would the steps on http://forums.cnet.com/5208-10149_102-0.html?threadID=66200 be the right way to reformat and remove the infection?

1. Backup All Data.
2. Unplug all USB devices like printers, scanners and palm pilots. If you have several internal cards that you added after you purchased the computer, you may need to remove these.
3. Check Manual for proper key to press for restore or it may show up on the opening screen.
4. Enter restore mode.
5. Follow onscreen instructions. (takes about 30 min)
6. Install Drivers for special hardware (hardware that did not come with computer)
7. Check Device Manager for any Yellow Exclamation Points indicating missing drivers or errors. Click START-CONTROL PANEL-SYSTEM-HARDWARE-DEVICE MANAGER. (Select Classic View) If you have any Yellow Exclamation Points, you will probably need to install drivers for these devices from your CD for that piece of hardware.
8. At this point you have a fairly clean installation and it is time to Update windows. Download and install all Windows updates, especially Service Pack 2 (if not already at SP2).
9. Install and setup any additional external hardware like printers, scanners, Palm pilots, etc. Install each one at a time and reboot and test before installing the next item.
10. Install additional software that you have on CD like Office, Quicken and Photoshop, except Antivirus software. Again install one at a time, reboot and test before going on to the next.
11. Once you have all the hardware and software installed and running, it is now time to install any security products that you may have like antivirus software, Software Firewalls and Spyware/popup blockers. (you donít want to have too many redundant programs running)
12. With Antivirus software up and running and updated online with the latest virus definitions installed, you can now go online and look for updates for other software or download programs that you want to reinstall.
13. Using whatever method you used to backup your data, you can now restore your data back to your computer. Donít do this until you have antivirus software running. You donít want to bring back viruses that may have caused your original problems.
14. You can now go in and tweak your settings to what ever you like, add screen savers and set things up the way you want.
15. Now that everything is up and running just the way you like it, it is time to backup your settings. I prefer to use something like Norton Ghost to make a disk image of this state. If you want to reformat and restore your computer again in the future, you can restore it back to this point instead of all the way back to the beginning, saving a huge amount of time. You could also use Windows XP Pro Backup to make a recovery set. I also recommend using Windows Restore to save a Restore Point at this point. Some people like to set a restore point after each of the steps above in the event that something goes wrong along the way.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,604 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:32 PM

Posted 13 October 2009 - 11:11 AM

If you're not sure how to reformat or need help with reformatting, please review:These links include step-by-step instructions with screenshots:Vista users can refer to these instructions:Don't forget you will have to go to Microsoft Update and apply all Windows security patches after reformatting.

Note: If you're using an IBM, Sony, HP, Compaq, Toshiba or Dell machine, you may not have an original XP CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. See Technology Advisory Recovery Media. If the recovery partition has become infected, you will need to contact the manufacturer, explain what happened and ask them to send full recovery disks to use instead..

Reformatting a hard disk deletes all data. Should you decide to reformat or do a factory restore due to malware infection, you can back up all your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executable files inside them as some types of malware can penetrate and infect .exe files within compressed files too. Other types of malware may even disguise itself by adding and hiding its extension to the existing extension of file(s) so be sure you look closely at the full file name. Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

If your CD/DVD drive is unusable, another word of caution if you are considering backing up to an external usb hard drive as your only alternative. External drives are more susceptible to infection and can become compromised in the process of backing up data. I'm not saying you should not try using such devices but I want to make you aware of all your options and associated risks so you can make an informed decision if its worth that risk.

Again, do not back up any data with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.

If you need additional assistance with reformatting or partitioning, you can start a new topic in the Windows XP Home and Professional forum.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 deathxcs

deathxcs
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:32 PM

Posted 13 October 2009 - 12:02 PM

Any .xml may be infected? I have chat logs that I like to keep, they are .xml, but I suppose I can stick them in a .txt instead.

Other than that, the only means of back up I have is a 4 gig flash drive and a 4 gig mp4 player, so I was hoping to put any files on the flash drive and any music on the mp4 player, but they might get infected. :thumbsup:

Anyway, thanks again for your help.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,604 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:32 PM

Posted 13 October 2009 - 01:39 PM

You're welcome and good luck.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 deathxcs

deathxcs
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:32 PM

Posted 13 October 2009 - 04:54 PM

Ok, Malwarebytes says I have nothing harmful on my PC anymore... and I have scanned with a few other programs. However, now I have found a problem with my Recycle bin. It claims it is full, but when I look inside, there is nothing there. When I right click on the Recycle Bin and try to delete, it asks me if I want to delete 'WINDOWS'. And when I try to empty the empty recycle bin, it says 'Cannot delete dc3: access is denied'. And so, when I used a command prompt to try to sort out my recycle bin, it came up with something about 'dc3.exe'. A google search on this says that it is a 'Bank Information Stealer'. So after all those scans, I feel like I am back to square one, unless this is just a recycle bin error... so I think a re format may be in order.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,604 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:32 PM

Posted 13 October 2009 - 07:10 PM

Again, reformatting is an option or we can try something else but I can't make that decision for you.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,994 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:32 PM

Posted 23 October 2009 - 10:21 PM

Hello,

I see that you posted a log here: http://www.bleepingcomputer.com/forums/t/263898/hijackthis-log-possible-keylogger/ prior to your posting this topic. Please note: you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, up to two weeks from posting date perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users