Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hidden Trojan or Back Orrfice-like Virii??????


  • Please log in to reply
8 replies to this topic

#1 dreez

dreez

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 03 June 2010 - 03:20 PM

First of all, Thank you in advanced for helping!!

I use XP Media Center Edition with SP3. I have an ACER Aspire 5100 w/ AMD Turion 64 X2 Mobile Technology TL-50 797 MHz, 1.87 GB of RAM.

I recently installed McAfee Internet Security, was using an older NAV Coporate Edition. I recently removed SpyBot S&D and now have a-squared Free and Malwarebytes' Anti-Malware. Which have all detected their own problems in various areas. I have recently used COMODO System Cleaner to clean my registry as well. I have tried to use an online scanner (Bitdefender or w.e); however, mid-scan my CPU froze with many White Vertical lines/ black background covering my entire screen.

I have compared my boot programs and running applications to your lists and many do not appear harmful, others unknown.

Let me back it up about a month. I re-installed a game I used to play over the internet. (GunZ the Duel) I played it fine for about 2 weeks and all of a sudden it started having Lagging issues. Game play was slowed considerably and it was difficult to play. I then tried to adjust video quality settings and power/performance settings to try to improve gameplay. No improvements. I then ran a virus scan with NAV... Nothing found. I then took an AV (forgot which program) bootable CD and ran that. All that found was Tracking Cookies and Digital Signitures which have expired. Since I have tried to play the game with a different internet connection to try to determine if it was my interenet causing the problems. Same problems.

A couple days later, I receive a message from NAV prompting "User Aborted Scan." I try to run a manual scan and the same thing happens... Now I am concerned. I decided to switch to McAfee and inserted the CD into my CD/DVD Multi Recorder and it does not recognize that there is a CD in the drive. I tried other CDs both media and application based, neither works... However, DVD's work. I do not have any blank DVDs or CDs so I am unable to determine if the burner works. I have tried following a couple different tutorials on fixing the CD drive.. nothing seemed to work for me which is why I decided to start cleaning my computer. I have been cleaning everything for a while now and have the above programs installed. (I even restored to a point prior to installing the game.) I have performed many different scans in regular and safe mode.

Everything is slower now, my CPU hits 100% too often. In safemode my computer was getting too hot to be normal during scan. Fan is working... I have cleaned a bunch but need to clean more. I have also noticed my camera light blink randomly when I haven't used any program which utilizes the camera...


I know:


4. When you post, it makes sense to follow the rule: one problem, one post. The more problems you include in one post, the more likely the chance one or more of them will get lost or unanswered, especially if the problems require different areas of knowledge. Letting different kinds of problems be answered by members with different areas of expertise will be quicker and probably result in better responses.


I just want to focus on whether or not there is a virus first. After that we can figure if I am still having a problem with my CD player and overall performance of my CPU. ;)

Thanks!

BC AdBot (Login to Remove)

 


#2 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:11:42 PM

Posted 03 June 2010 - 04:20 PM

Hi,
I'm just curious, where did you learn about Back orifice? It is very rare, so I doubt you have it., But you might want to scan with MBAM and see if that helps at all. And another question. How is the game you play hosted? Is it one of those sights that offer free game play as long as their propriotary software is installed (AKA, gameVance, playSushi)? If so, I'd recommend you refrain from playing those things as they can cause you more issues than fun with game play. My Dad had GameVance on his laptop, and it was causing it to run slower than the yin yang. Hope this helps.

Regards,
Chromebuster

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#3 dreez

dreez
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 03 June 2010 - 06:36 PM

Hi,
I'm just curious, where did you learn about Back orifice? It is very rare, so I doubt you have it., But you might want to scan with MBAM and see if that helps at all. And another question. How is the game you play hosted? Is it one of those sights that offer free game play as long as their propriotary software is installed (AKA, gameVance, playSushi)? If so, I'd recommend you refrain from playing those things as they can cause you more issues than fun with game play. My Dad had GameVance on his laptop, and it was causing it to run slower than the yin yang. Hope this helps.

Regards,
Chromebuster


Hey Chromebuster,

Thanks for the response!

Back Orfice, NetBus and similar threats have been around for a while now... I believe the first instance of Back Orfice was discovered in 1998?? Not sure when or where I first heard of it... I have manually removed a number of virii in my day and I tend to blame the backdoors for ones I can not personally determine...

The game had to be launched through another program which has access to the internet. It also uses hacker prevention software so there are multiple programs running in order to play the game... I am fairly sure it is different from gameVance as it doesn't appear as malware or anything harmful in itself. The game does require enough ports to be opened on all ends though, due to user interaction or w.e... I have removed every aspect of this game that I can think of last night... I can scan with MBAM again... I mean I haven't used it since this morning. :thumbsup:

But I agree, These free games are either loaded with malware or security holes allowing an advanced hacker to slip right in... I hope I am wrong... but there could be something nasty lurking in my CPU.

Thanks again,
Dreez

#4 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:11:42 PM

Posted 03 June 2010 - 07:24 PM

No problem at all. Any time. Ah yes, you could indeed have something having a good time, but I think we can get it out if we work quick enough. And BTW, you're right about Back Orifice for it was first introduced in 1998, though as I said before, I highly doubt you have to worry about that as that program has more of a legitimate following nowadays than it used to. Another thing you should try is the eset online scanner. It's a killer! If and when you set that up, make sure that you tick the box that says remove threats. All you have to do is to go to www.eset.com/onlinescan. From there you will be presented with a prompt to install an active Exe control. Allow the control to be installed, for that is the scanner downloading the databases and components it needs in order to work properly. Internet explorer is the easiest browser to work it from since you do not have to save anything locally to your hard drive. Let me know if that helps.

Regards,
Chromebuster

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#5 dreez

dreez
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 03 June 2010 - 10:31 PM

No problem at all. Any time. Ah yes, you could indeed have something having a good time, but I think we can get it out if we work quick enough. And BTW, you're right about Back Orifice for it was first introduced in 1998, though as I said before, I highly doubt you have to worry about that as that program has more of a legitimate following nowadays than it used to. Another thing you should try is the eset online scanner. It's a killer! If and when you set that up, make sure that you tick the box that says remove threats. All you have to do is to go to www.eset.com/onlinescan. From there you will be presented with a prompt to install an active Exe control. Allow the control to be installed, for that is the scanner downloading the databases and components it needs in order to work properly. Internet explorer is the easiest browser to work it from since you do not have to save anything locally to your hard drive. Let me know if that helps.

Regards,
Chromebuster


So a-squared Free 4.5 has detected, quarantined and deleted 2 .EXEs (trojan-dropper.msil!ik) which were hiding in C:\System Volume Information\_Restore{... which MBAM never detected.

I think this is the 3rd time in the past 2 days I have removed different types of trojans... mehhh we will see.

PS - reasons why I was thinking some NetBus or Backdoor infection is because the CD drive isn't working, the camera light shows activity when not in use (by me) on top of the slower CPU speed all started occurring at once. Feels like someone is taking pictures of me (not quite sure why.. lol) on my webcam.

Have yet to try out ESET; however, a-squared is ranked higher than ESET.... I'll let it run overnight and see if it finds anything :thumbsup:

#6 dreez

dreez
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 04 June 2010 - 05:49 PM

Update...

ESET found:

C:\system volume information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP372\A0075415.exe a variant of Win32/Adware.RegGenie application cleaned by deleting - quarantined

I'll run a few more checks by various scanners... do a defrag or something and keep you updated... I just want my old laptop back... :thumbsup:

#7 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:11:42 PM

Posted 05 June 2010 - 08:47 PM

we'll get your computer back for you of course. In my opinion, despite all the misconceptions, there is hope for anything. And I'll tell you one thing. you got to love those protected directories. System volume information is the directory where all of your restore points are kept and referenced. In that case, it is hard for tools to get to it to delete or modify files from it, but it seems that Eset was able to take care of that file. And by the name of it, had you been receiving any fake alerts, anything telling you that you have massive issues with your computer and something demanding that you pay in order to fix them? if so, you have a rogue aboard, and those can be gotten rid of with MBAM most often, so it seems strange that the scan detected nothing. After running A-Squared, try running it again, but this time, use the full scan option, and then see if it finds anything. Have it delete what it finds. Hope this helps,

Chromebuster

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#8 dreez

dreez
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 13 June 2010 - 12:48 PM

we'll get your computer back for you of course. In my opinion, despite all the misconceptions, there is hope for anything. And I'll tell you one thing. you got to love those protected directories. System volume information is the directory where all of your restore points are kept and referenced. In that case, it is hard for tools to get to it to delete or modify files from it, but it seems that Eset was able to take care of that file. And by the name of it, had you been receiving any fake alerts, anything telling you that you have massive issues with your computer and something demanding that you pay in order to fix them? if so, you have a rogue aboard, and those can be gotten rid of with MBAM most often, so it seems strange that the scan detected nothing. After running A-Squared, try running it again, but this time, use the full scan option, and then see if it finds anything. Have it delete what it finds. Hope this helps,

Chromebuster


So.... Sorry it has been a while since I have replied.. MBAM really isn't doing too much for me... A-Squared found a Downloader Trojan and after I removed it, found the same type of Trojan embedded in my System Restore files after reboot. I will run it one more time then run in safety mode... It feels as if my computer takes too long to even open a new tab in Explorer...

No fake alerts. If there were, I would be able to figure out exactly what was going on! o,0

DreeZ

#9 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:11:42 PM

Posted 13 June 2010 - 11:35 PM

Yeah. Ha ha, I was wondering myself where in the world you had been LOL. Well after that, there is only one more place I can think of, and darn! Why on earth was I so dumb in not thinking of it before? One word ... Kaspersky! They have lots of free wonderful utilities for those who aren't using their full products. One of those is the free removal tool "Kaspersky Virus Removal Tool 2010" or "AVP tool 2010", it is also known as sometimes. You can read about it on their support page. Type in something like "virus-fighting utilities (Kaspersky)" or something like that (preferably on Bing), and it should come right up. It gives you full instructions on how to use it, how to customize it for what type of scan you want to perform, and what to do if it can't remove something, or if it attempts to remove an important system file. That is not very common with Kaspersky though. I have never had to use it, so I can't really tell, but if you need a hand over there, they have volunteer staff waiting to direct you if needed. They're message board is populated with cool folks like over here, and they kno their products inside and out. My friend uses the full paid-for product, and the only time she lost a file and it wasn't disinfected for her was because she's stubborn and she leaves everything at it's default configuration and doesn't like to change things even if she knows that a change is obviously necessary for the correct result to be obtained. She's a goofball, but considering you are determined, I don't think you'll run into that LOL.

Hope this helps,
Chromebuster

Edited by chromebuster, 13 June 2010 - 11:38 PM.

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users