Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor.bla.trojan


  • Please log in to reply
7 replies to this topic

#1 Boyo

Boyo

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Location:Chicago
  • Local time:06:33 PM

Posted 18 December 2005 - 12:01 AM

I am running XP SP2 with Norton Internet Security 2005. For the last 6 or 7 days, I have been having NIS pop-ups, saying an attempt to enter my compuer with the Backdoor.Bla.Trojan has been made. Does anyone have any idea why this is happening, or is NIS giving me false positives. I also run Spybot, Ad-Aware Plus and SpywareBlaster. I have not had anything coming up with these programs....Am I being targeted specifically?
AMD Athlon 64 X2 4400+ @2.64GHz|AC Freezer 64 Pro|Asus A8N32-SLI Deluxe|Corsair 2GB PC3500LLPRO|eVGA 7900GT CO Superclocked|SB Audigy 2 ZS|Logitech MX1000|WD 74GB Raptor|WD 320GB Caviar SE16|WD 250GB Caviar RE16 eSATA Mobile |Lite-On DVD/CD with Lightscribe|Enermax Liberty 620W|Lian Li PC7 Plus II

BC AdBot (Login to Remove)

 


m

#2 stidyup

stidyup

  • Members
  • 641 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:33 PM

Posted 19 December 2005 - 03:35 AM

If you think you are infected submit a hijackthis log to the HJT Forum.

How to submit a hijackthis log

Download Hijackthis

Try running the following from safe mode (Getting to safe-mode) Sysclean you'll also need the virus template file from here lpt***.zip remember to extract the contents of the zip file into the same folder as Sysclean.com

or

DrWeb CureIT

or

KASFX which is powered by the Kaspersky AV engine, you will need internet access to update it. If you haven't got net access in safe mode, update it before you use it.

If your good with the command line also try Sophos Command Line scanner this command will scan all of your hdd's SAV32CLI.EXE -F -di -remove -dn -mbr -all -zip -p=avscanlog.txt and give you a log file to review afterwards.

Also try installing and running A2 Free and Ewido again run from safe mode.

#3 acklan

acklan

    Bleepin' cat's meow


  • Members
  • 8,529 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Baton Rouge, La.
  • Local time:05:33 PM

Posted 19 December 2005 - 04:12 AM

Have you tried run NIS in safe mode to see if it can remove the virus?
"2007 & 2008 Windows Shell/User Award"

#4 Boyo

Boyo
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Location:Chicago
  • Local time:06:33 PM

Posted 19 December 2005 - 04:27 PM

Actually, the idea of running NIS or any other AV in safe mode never crossed my mind. Thank you both. I will give these AV's in safe mode a shot..........Thanks again.
AMD Athlon 64 X2 4400+ @2.64GHz|AC Freezer 64 Pro|Asus A8N32-SLI Deluxe|Corsair 2GB PC3500LLPRO|eVGA 7900GT CO Superclocked|SB Audigy 2 ZS|Logitech MX1000|WD 74GB Raptor|WD 320GB Caviar SE16|WD 250GB Caviar RE16 eSATA Mobile |Lite-On DVD/CD with Lightscribe|Enermax Liberty 620W|Lian Li PC7 Plus II

#5 acklan

acklan

    Bleepin' cat's meow


  • Members
  • 8,529 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Baton Rouge, La.
  • Local time:05:33 PM

Posted 19 December 2005 - 06:37 PM

Yes try it and your antispyware programs too, Spybot, Adaware, SpyBlaster,..
"2007 & 2008 Windows Shell/User Award"

#6 TheSilencer

TheSilencer

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 21 February 2008 - 01:32 AM

Boyo and crew,

You guys and gals are just simply to freakin paraniod !!!!!!!!!!!! Don't you get it, there is no removal tool for the damn thing, because symantec puts it there in their system program. How many of you are coming up on subscription renewals?

I have a $7K Area 51 Alienware pc which I protect rather well, yeah I got some of the programs youz guys mentioned and they scan and don't find anything. I also have Norton System works 2006 and my script is running out in June of this year.

For the past month, at least twice a week, I get the "bla was blocked message". What is really weird is it is on UDP port 1042 from my machines IP address to myself (local host). I called Symantec to see if they would have any ideas and the first line help desk (barely speaks English) sends me to this chick who wants to step me through a series of excersises ending up at a point where she states "okay now Joe, I must tell you that in order to continue any further, you will have to pay a one time fee of $99 bucks for me to clear your PC of this trojan.

Of course as soon as she went there, I told her that I did not have any money to do that until next month.

Uninstall Norton and get another program. Have you ever looked at the differences between the virus libraries between Norton and Macaffee? They are almost totally different, one has viruses the other doesn't ... I just scanned 985,348 files and NSW found nothing, I scan with McCaffee and it found nothing, ran some bot checks and serveral other online scans, and they found nothing .... but you know what ... my log in Norton says it blocked it again. :thumbsup:

Well gang its 1230 am CST in New Orleans and I have to report for duty at 0500 hours

Enjoy the food for thought !!!

The Silencer (was my handle in USAF, when I was a combat control tech, many years ago)
Now I run data security at Nasa's Michoud Assembly facility, NOLA. Late .........

#7 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,713 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:33 PM

Posted 21 February 2008 - 01:51 AM

For the last 6 or 7 days, I have been having NIS pop-ups, saying an attempt to enter my compuer with the Backdoor.Bla.Trojan has been made.


Does your Symantec set-up include the firewall? The reason I ask is that this sounds like an alert from the firewall, not from the AV. Can you please clarify that?

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#8 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:05:33 PM

Posted 21 February 2008 - 09:21 AM

@The Silencer

Don't you get it, there is no removal tool for the damn thing,

Since you are new to BC, I suppose you may have missed the fact that we are a family friendly site, so we prefer to keep the language toned down. There is enough mindless drivel on the Internet already, no need for us to contribute. You may have also missed the fact that we help somewhere right around 500 people every day, and that there are very few of us to go around. I'm sure that you can appreciate (working for NASA and all), that we have standard procedures that we follow to try and move people through as quickly as we can. Most people that we get here are absolute beginners, and don't know enough just to do the basics, so that's where we start. That allows us to rule out the obvious things first. Then we can move on to the possibility that since this was first reported in 2000, that maybe it is a false positive, or maybe it is something new that has not been seen yet (which happens from time to time) and is not yet included in any definitions, and is able to evade heuristics. Firewalls are often the first indicator that things are wrong, and once we rule out the obvious, we have many other tools and techniques to utilize.

I have a $7K Area 51 Alienware pc which I protect rather well

Well I have a $1500 home built box, and I don't work for NASA, but my system has been clean for years. Maybe you could give us the benefit of the doubt and consider that we might know what we are talking about. If there is a program trying to dial out, your firewall should tell you exactly what it is, and where it is.

because symantec puts it there in their system program

I'm sorry, are you saying that it is part of Symantec's application, as in part of an auto reminder to update the subscription?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users