| Author |
Topic: Backdoor.Bot |
Brint Hannay
From:
Maryland, USA
|
Posted 3 Aug 2010 12:47 pm |
|
Yesterday, Malwarebytes Anti-Malware detected two infections in my computer (Windows XP SP3): One identified as Backdoor.Bot, the other as Trojan.Downloader.
MBAM says about each of them "Quarantined and deleted successfully". But in Googling "Backdoor.Bot" in particular, there are various allegations on computer blogs that it is very hard to remove--that even after MBAM or other AV claims to have removed it, it "comes back" or cannot be confidently considered to have been cleaned out.
As this is apparently a Trojan that can steal data, I really would like to know if I can trust my computer now with online banking, etc.
Please help!  |
|
|
|
John Floyd
From:
R.I.P.
|
Posted 3 Aug 2010 1:48 pm
|
|
I was Hit By This One Yesterday.
(Trojan.Vundo)
Folders Infected:
C:\Program Files (x86)\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\FunWebProducts\Installr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\FunWebProducts\Installr\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\FunWebProducts\Installr\setups (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Files Infected:
C:\Program Files (x86)\FunWebProducts\Installr\1.bin\F3EZSETP.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\FunWebProducts\Installr\1.bin\F3PLUGIN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\FunWebProducts\Installr\1.bin\NPFUNWEB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
It Got By AVAST, but MBAM Worked OK, Didn't Prevent it but Removed it OK
I also Turned Windows Defender Back on because its not using my resources too awfully bad. |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 3 Aug 2010 7:03 pm Re: Backdoor.Bot
|
|
| Brint Hannay wrote: |
Yesterday, Malwarebytes Anti-Malware detected two infections in my computer (Windows XP SP3): One identified as Backdoor.Bot, the other as Trojan.Downloader.
MBAM says about each of them "Quarantined and deleted successfully". But in Googling "Backdoor.Bot" in particular, there are various allegations on computer blogs that it is very hard to remove--that even after MBAM or other AV claims to have removed it, it "comes back" or cannot be confidently considered to have been cleaned out.
As this is apparently a Trojan that can steal data, I really would like to know if I can trust my computer now with online banking, etc.
Please help! :( |
Brint;
Have you rebooted, updated MBAM definitions and scanned again? That is SOP. You should also perform an online followup scan with Trend Micro's HouseCall scanner.
You may also want to install, update and scan with ThreatFire, to scan for, remove and block further installation of rootkits.
| John Floyd wrote: |
| It Got By AVAST, but MBAM Worked OK, Didn't Prevent it but Removed it OK |
John;
Unless you register MBAM it stays in purely manual mode. Registering it unlocks realtime protection, hostile IP blocking, automatic updating, scheduled scanning and "Flash" scanning (very fast, only most vulnerable locations).
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 3 Aug 2010 7:11 pm
|
|
If there is a rootkit operating on your PC and MBAM,Threatfire, or HouseCall find, but fail to eradicate it, there is a special utility that can be downloaded, then run on the infected PC, that will kill the rootkit. Contact me through the Forum, by email or PM, for personal assistance removing malware from your computer with this, or other utilities.
Note, I charge for personal consulting and troubleshooting.
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
|
|
Brint Hannay
From:
Maryland, USA
|
Posted 3 Aug 2010 7:16 pm Re: Backdoor.Bot
|
|
| Wiz Feinberg wrote: |
Brint;
Have you rebooted, updated MBAM definitions and scanned again? That is SOP. |
Yes, I have done that. Actually, after getting the results quoted above, I rebooted, updated MBAM, and scanned again. This time I got results indicating still having only Backdoor.bot, but in "C:\System Volume Information\_restore". I clicked to remove and it said again "Quarantined and deleted successfully."
I again rebooted and scanned with MBAM again, and this time got "No malicious items detected."
I intend to reboot and scan with MBAM one more time, and I'll try those other scans, too. |
|
|
|
Cal Sharp
From:
the farm in Kornfield Kounty, TN
|
|
|
|
Brint Hannay
From:
Maryland, USA
|
Posted 3 Aug 2010 10:00 pm
|
|
| Did that last MBAM scan, and HouseCall and Threatfire scans, and all came up clean. Guess I'm all right! (?) |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 4 Aug 2010 6:28 am
|
|
| Brint Hannay wrote: |
| Did that last MBAM scan, and HouseCall and Threatfire scans, and all came up clean. Guess I'm all right! (?) |
I agree. Only a malware removal expert, reading a HijackThis log, can say for sure if the PC is totally disinfected.
Often, malware fighters will ask you to disable System Restore during the fight. If malware is backed up in the System Restore folders it may be difficult to remove, as that is a strongly protected space managed by the System, not the logged on user.
If you disinfect your PC, then the malware returns after you reboot, the threat lived in System Restore. Disable System Restore, disinfect, reboot, update scanner and scan once more. Once the malware is gone for good, re-enable System Restore.
Now that you have removed the backdoor bot (you were botnetted), my advice is to install realtime protection to give you some resistance to another takeover. What anti-virus/spyware program is installed and running?
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
|
|
Brint Hannay
From:
Maryland, USA
|
Posted 4 Aug 2010 8:24 am
|
|
I have AVG paid Anti-Virus and SpySweeper, with ZoneAlarm firewall. Now I also have ThreatFire (free version) installed.
I think the Backdoor.bot got in by a click on a link in an e-mail that appeared to be from a known source. Soon after we discovered there was a problem (the link led to advertising for Viagra etc., which the supposed sender would not have sent!), we alerted the "sender", who had already been alerted by others.
I know that one of the threats of a backdoor bot is stolen data--identity, etc. I have done financial transactions on the computer in the past. Do I have to fear that info such as passwords, account numbers, etc. can be stolen from past transactions, or would only transactions done since the infection was introduced be subject to that risk?
Can it be assumed that files such as Word documents, pictures, videos, and audio files are not infected? That is, can I copy or move them to, say, a Flash drive, without worrying that the virus comes with them?
Should I trust my computer now, or bite the bullet and re-format and clean re-install? |
|
|
|
Richard Sinkler
From:
aka: Rusty Strings -- Missoula, Montana
|
Posted 4 Aug 2010 10:27 am
|
|
| Quote: |
| BTW, since we're all musicians here, the most dangerous sites to visit are song lyric sites, from what I read |
I use these sites often (once in a while you get the right words and don't have to listen to the song, stopping all the time and writing out the words). How does the virus, bot or whatever get on your computer. I don't download anything from them. I do "copy & paste" the lyrics into Word to correct the usually incorrect lyrics and chords.
I use Trend Micro Internet Security Pro, and have never had the problems described above. Is my Trend software not detecting them? I'd hate to have start loading in a bunch more programs to handle all these situations. Pretty soon the processor will only be running these anti-this and that programs and have no power left to run anything else.
_________________
Carter D10 8p/8k, Dekley S10 3p/4k C6 setup,Regal RD40 Dobro, Recording King Professional Dobro, NV400, NV112,Ibanez Gio guitar, Epiphone SG Special (open D slide guitar) . Playing for 55 years and still counting. |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 4 Aug 2010 10:38 am
|
|
| Richard Sinkler wrote: |
| Quote: |
| BTW, since we're all musicians here, the most dangerous sites to visit are song lyric sites, from what I read |
I use Trend Micro Internet Security Pro, and have never had the problems described above. Is my Trend software not detecting them? |
Richard;
As long as your computer is connected to the Internet, via a high speed connection, you will be protected against those threats by Trend Micro Internet Security Pro. It uses broadband connections to search for new definitions in the cloud, before they are even available to be downloaded by the program's automatic updater. It blocks exploits from web pages and may even be able to sanitize a page so you can use the uninfected portions.
If you try to go to a page that is laden with nothing but exploit codes, the Trend Micro Smart Protection Network will stop you in your tracks. There will be no mistake about it; you'll know it just saved you a_s.
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
|
|
Richard Sinkler
From:
aka: Rusty Strings -- Missoula, Montana
|
Posted 4 Aug 2010 11:03 am
|
|
Good to know, Wiz. Thanks.
_________________
Carter D10 8p/8k, Dekley S10 3p/4k C6 setup,Regal RD40 Dobro, Recording King Professional Dobro, NV400, NV112,Ibanez Gio guitar, Epiphone SG Special (open D slide guitar) . Playing for 55 years and still counting. |
|
|
|
Cal Sharp
From:
the farm in Kornfield Kounty, TN
|
Posted 4 Aug 2010 3:38 pm
|
|
Brint, I hope you get your computer secure again, if it ever was. The simple solution to all these security issues is to install Linux, which is free and has a minimal learning curve for basic stuff, and set your machine up to dual boot into either Win or Linux and use Linux for, if nothing else, banking, shopping, and anything else where critical passwords and credit cards are involved.
_________________
C#
Me: Steel Guitar Madness
Latest ebook: Steel Guitar Insanity
Custom Made Covers for Steel Guitars & Amps at Sharp Covers Nashville |
|
|
|
