Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan horse BackDoor.Generic14.CCGD


  • Please log in to reply
3 replies to this topic

#1 kirkifer

kirkifer

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:09 AM

Posted 14 December 2011 - 01:20 AM

Hello,

I am running XP Pro Version 2002 SP2

My browser is an older version of Firefox, not sure which one...


So far, I have run AVG 9.0, Malware Bytes, and Spybot. All are kept updated.

Malware bytes and Spybot do not see anything, but occaisionally, AVG is picking up the following:


"Infection";"Trojan horse BackDoor.Generic14.CCGD";"c:\System Volume Information\_restore{7FF4A7EF-E710-4D8A-9E5F-BCEA7BC4CA9A}\RP493\A0190229.sys";"";"12/13/2011, 8:18:58 PM"
"Infection";"Trojan horse BackDoor.Generic14.CCGD";"c:\System Volume Information\_restore{7FF4A7EF-E710-4D8A-9E5F-BCEA7BC4CA9A}\RP493\A0189230.sys";"";"12/13/2011, 7:48:37 PM"


Effects are an occasional redirect in the form of some sort of advertising popping up in a new window.


I am at the point of asking for some help to get rid of my pains...
So, where is this little booger hiding? I am sure it is something easy to find for someone who knows what he/she is doing...

Thanks,

Kirk

Edited by quietman7, 14 December 2011 - 09:55 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,277 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:09 AM

Posted 14 December 2011 - 10:12 AM

I edited your topic to remove your HijackThis log as they are not permitted in topics outside the Virus, Trojan, Spyware, and Malware Removal Logs forum. Further, HijackThis only scans certain areas of your system/registry to help diagnose the presence of undetected malware in known hiding places. Therefore, its log may not always show all the malware on your system. As such, HijackThis has been replaced by newer tools like DDS, RSIT and OTL which provide comprehensive logs with specific details about more areas of your computer.

The Malware Response Team members are all volunteers who contribute to helping members as time permits but currently there is a backup and you may have to wait for assistance. Referrals are made to the Virus, Trojan, Spyware, and Malware Removal Logs forum if we cannot assist you here or more powerful tools are required for disinfection.


The detected _restore{GUID}\RP***\A00*****.xxx file(s) identified by your scan are in the System Volume Information Folder (SVI) which is a part of System Restore. The *** after 'RP' represents a sequential number automatically assigned by the operating system. The ***** after 'A00' also represents a sequential number where the original file(s) were backed up and renamed except for its extension. To learn more about this, refer to:System Restore is the feature that protects your computer by monitoring a core set of system and application files and by creating backups (snapshots saved as restore points) of vital system configurations and files before changes are made. These restore points can be used to "roll back" your computer to a clean working state in the event of a problem. This makes it possible to undo harmful changes to your system configurations including registry modifications made by software or malware by reverting the operating systems configuration to an earlier date. See What's Restored when using System Restore and What's Not.

The SVI folder is protected by permissions that only allow the system to have access and is hidden by default on the root of every drive, partition or volume including most external drives, and some USB flash drives. For more detailed information, read System Restore Overview and How it works and How antivirus software and System Restore work together.

System Restore is enabled by default and will back up the good as well as malevolent files, so when malware is present on the system it gets included in restore points as an A00***** file. If you only get a detection on a file in the SVI folder, that means the original file was on your system in another location at some point and probably has been removed. However, when you scan your system with anti-virus or anti-malware tools, you may receive an alert that a malicious file was detected in the SVI folder (in System Restore points) but the anti-virus software was unable to remove it. Since the SVI folder is a protected directory, most anti-virus and scanning tools cannot access it to disinfect or delete these files. If not removed, they sometimes can reinfect your system if you accidentally use an old restore point.

If your anti-virus or anti-malware tool cannot move the files to quarantine (or they keep returning as detections), they sometimes can reinfect your system if you accidentally use an old restore point. In order to avoid reinfection and remove these file(s) if your security tools cannot properly remove them, the easiest thing to do after disinfection is Create a New Restore Point to enable your computer to "roll-back" to a clean working state and use Disk Cleanup to remove all but the most recent restore point. Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 nrcpma

nrcpma

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:09 AM

Posted 07 January 2012 - 11:40 AM

Hi, I read this post and fear I may have a similar situation where a reformat and reinstall is needed. Can I run this past you to get some opinions?

My son has a PC which he uses mainly for his flight similator sw. He was on the internet trying to download some free planes or something and must have downloaded a trojan horse. So his internet got disabled and things went funny. I managed to do a system restore back and updated to AVG 2012 free 30 day trial and it showed the following:

"";"H:\WINDOWS\system32\DRIVERS\netbt.sys";"Trojan horse BackDoor.Generic14.CCGD";"Object is white-listed (critical/system file that should not be removed)"


"";"H:\WINDOWS\system32\drivers\netbt.sys";"Trojan horse BackDoor.Generic14.CCGD";"Object is white-listed (critical/system file that should not be removed)"

"";"HKLM\SYSTEM\CurrentControlSet\services\NetBT";"Found registry key with reference to infected file H:\WINDOWS\system32\DRIVERS\netbt.sys";"Moved to Virus Vault"


Now the internet is disabled again and I fear the worst. We can live with this PC not being connected to the internet anymore if he could at least use it for his games (simulators), but I am thinking that the malware will eventually damage his programs. What would you advise?

1. Reformat and OS reinstall?

2. OS reinstall

3. Some malware fix (but AVG says it cannot be removed)

4. Leave as is but do not connect to the internet

5. Throw PC away and learn the hard way


Any opinions and expertise is greatly appreciated.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,277 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:09 AM

Posted 07 January 2012 - 03:47 PM

Welcome to BC nrcpma

This is a serious malware infection. kirkifer, who started this topic, was primarily complaining of the detections in System Restore which did not reveal the actual file named involved. After providing the info I did, he never replied back. As such, I don't know if he was able to clean his system or further help was needed.

Please follow the instructions in the Preparation Guide For Requesting Help starting at Step 6.
  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 7 there are instructions for downloading and running DDS which will create two logs.
When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. After doing this, it would be helpful if you replied back in this thread with a link to the new topic so we can closed this one.

If HelpBot replies to your topic, please follow Step One so it will report your topic to the team members.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users