Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

backdoor.win32.bredolab.ewe infection


  • This topic is locked This topic is locked
7 replies to this topic

#1 arkv

arkv

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 08 June 2010 - 04:18 PM

Yesterday, one of my wordpress blogs got hacked. I worked with my webhost to patch up the holes in the site, changed my passwords, etc. Only to find today, once again, the malicious code was back on my website. I talked to my web designer who thought the recurrance of the script injection was possibly due to some malware/trojan that was local on my PC, and was possibly injecting this script every time I went into FTP to remove it. My zone alarm AV had been popping a few errors for the last 24 hours or so but I hadn't fully paid attentention until he said this. Sure enough looking at my ZA logs, yesterday there was a quarantine of trojan-downloader.win32.mufanom (it couldn't remove it so it "renamed it") and then over and over again today I'm getting a pop up with backdoor.win32.bredolab.ewe saying it couldn't be removed but was renamed. Here is two of the error messages:

Backdoor.Win32.Bredolab.ewe was found in C:\Users\Ashley\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\siszpe32.exe.vzr on 6/8/2010 16:08:22



Description Anti-virus successfully quarantined a virus or viruses
Date / Time 2010-06-08 10:09:06-5:00
Type Treat
Virus name Worm.Win32.VBNA.b
Filename C:\Users\Ashley\AppData\Local\Temp\pdfupd.exe
Action Quarantined
Mode Manual



Description Anti-virus attempted but failed to quarantine a virus or viruses
Date / Time 2010-06-08 08:35:04-5:00
Type Treat
Virus name Trojan-Downloader.Win32.Mufanom.tug
Filename C:\Users\Ashley\AppData\Local\alescle.dll
Action Quarantine failed
Mode Manual
E-mail



After looking online a bit, it appears this is a pretty serious trojan. Could someone help me with teh steps for getting it removed and cleaned from my system?

I am running windows vista 64 bit as well as Zone Alarm Security Suite (which obviously isn't working).

Thank you!!

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:34 PM

Posted 08 June 2010 - 08:14 PM

Hello and welcome,about these infections.
A backdoor Trojan can allow an attacker to
gain control of the system, log keystrokes, steal passwords, access personal
data, send malevolent outgoing traffic, and close the security warning
messages displayed by some anti-virus and security programs.

I would advise you to disconnect this PC from the Internet, and then go to
a known clean computer and change any passwords or security information held
on the infected computer. In particular, check whatever relates to online
banking financial transactions, shopping, credit cards, or sensitive
personal information. It is also wise to contact your financial institutions
to apprise them of your situation.

We will do our best to clean the computer of any infections seen on the log.
However, because of the nature of this Trojan, I cannot offer a total
guarantee that there are no remnants left in the system, or that the
computer will be trustworthy.

Many security experts believe that once infected with this type of Trojan,
the best course of action is to reformat and reinstall the Operating System.
Making this decision is based on what the computer is used for, and what
information can be accessed from it.

Knowing the above, let us know if you wish to proceed.


To clean...............
We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 arkv

arkv
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 08 June 2010 - 08:35 PM

Oh wow, not the news I was hoping to hear... So what would you do in my shoes, do you think its worth running a test just to see what is there? I run a bunch of websites and this is my main laptop. I use it for personal stuff like checking email, reading websites, etc. I also manage a number of my websites from it, connecting in via ftp and running some additional programs. I store all of my passwords using roboform which is password protected, would this trojan be able to go in and view all of those? There are literally hundreds of logins saved there (most of them are just general logins, to like forums and websites and stuff).

I do have a lot of stuff on the computer so the thought of a reformat makes my head hurt, but if thats the only way to get rid of it, then I guess thats what has to happen. I did run a number of spyware detectors and a few files came up that were deleted, and since doing that I haven't been getting the zone alarm pop ups warning me of the files getting renamed (like before). But maybe that doesn't mean anything. Do you think its worth running a check just to see what we find?

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:34 PM

Posted 08 June 2010 - 09:50 PM

Sorry, but I feel it most importantant that you knew. Well I think you should do the DDS now.. These backdoors have to be removed or they will own you and your sites.
If you had a lot of financials here I would feel differently. But I would still do this. Go to a clean computer and change any passwords or security information held
on the infected computer.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 arkv

arkv
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 08 June 2010 - 10:51 PM

log files moved

Edited by arkv, 08 June 2010 - 11:17 PM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:34 PM

Posted 08 June 2010 - 11:00 PM

Hello, as per step 9 the logs need to be posted here.Thanks.

here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.

Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 arkv

arkv
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 09 June 2010 - 05:03 PM

Are there admins who respond and look at the logs over on the other forum? Just wondering cause its been almost 24 hours since I posted without a reply. Not sure what the usual turn around time is (you replied quite quickly) or if it takes a few days. Just curious, you know how these things are, want to get it fixed asap just have no idea how. :thumbsup:

Thanks!

#8 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,946 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:34 PM

Posted 09 June 2010 - 05:52 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/322845/backdoorwin32bredolabewe-infection/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users