Backdoor Trojan.....help!!!!!!!

neXus9

I downloaded a backdoor trojan virus and since the person has been in my PC (I'm finding other viruses in here, my crappy firewall didn't work!!), I've decided to wipe my hard drive and salvage whatever I can. I was wondering what kind of files I can keep and which ones I can't.

Iv'e put all my pictures, video clips and mp3's on a dvd (viruse don't affect these types of files, do they??).

I was wondering which files are safe from viruses.

Do macro viruses infect wordpad and notepad files or do they just infect microsoft word files?????

If they affect all of the above file types, can I just cut and paste my text into new word files, or will macro viruses just spread onto those???

I've also got a lot of websites in favourites. Would these weblinks be infected?.

Also Iv'e got a lot of saved webpages. What's the probability that these are infected???

I heard that zip files may not get infected by viruses. Is this true??

It would be cool if someone had a list of the files not harmed by viruses.

Iv'e got zonealarm now, so it seems to be keeping the script kiddies at bay. Iv'e tried a number of virus scanners:

AVG
Trend micro internet security
Kespersky
Mcafee security centre

(Currenty downloading trial for Panda titanium antivirus 2004)

It's a pain because I know damn well that there's no other choice but to clear my hard drive. There's always going to be one bastid that slips through all the antivirus scanners.:(

I found the hacker army a virus on my system which couldn't be deleted by the antivirus scanner. It was either in my temp folder or temporary internet folder. I cleared both and the scan doesn't pick it up anymore.

Thank you!!:)

The Dr00g

Are you talking to yourself?

Do you still have a problem or not?

See my post to zaph for info on software and tools you need to combat virus/torjan/browser-hijack @ http://www.boards.ie/vbulletin/showthread.php?s=&postid=1741886#post1741886

You don't necessarily have to wipe your PC.

neXus9

Originally posted by The Dr00g
Are you talking to yourself?

No.

Do you still have a problem or not?

I thought I cleared the backdoor trojan but i'm still getting people trying to get into my PC (guess I have more than one backdoor trojan).

I have zone alarm and it seems to be keeping my PC safe.

I downloaded hijackthis and am currently checking out the result it's given.

Thanks for the link.

the_syco

Plug out you cable (RJ45, patch-cable, etc), and reboot your PC into safe mode. Once in safe mode, run a virus scan. This'll detect any virus's that may be hiding behind a legit process.

As for the virus -v- files; any file can be attacked by a virus.

neXus9

I ran AVG in safe mode. I didn't run all the virus scanners in safe mode though (should of). I'll have to do them again, then.

liamo

Hi neXus9,

If you have been compromised and badguys have been wandering around your machine, then the ONLY ONLY ONLY way to address this is to
1) Take the machine off the network
2) Backup whatever personal files you need (data only - NO software)
3) Reinstall your system from scratch and then patch it from behind a firewall.

If your system has been compromised then there is nothing about your system that you can trust. You can't trust the reports that your system is giving you about running processes so you can't know with any certainty that there aren't numerous backdoors installed.

Sorry about the bleak advice but if you want to be sure then you have to bite the bullet.

Regards,

Liam

The Dr00g

Indeed, the cart should not go before the horse. Ooh er, that's rather a confusing pun isn't it.

Seriously... Nexus9, how do you know a "person" has been messing inside your PC?

neXus9

I clicked a weblink in yahoo messenger. I don't know why. Although I'm new to messenger (it was the first time properly on it) I knew damn well about script kiddies. It was so obvious, just wasn't thinking.:o

I had a crappy built in pc cillin firewall that didn't work.

Ran the scanner afterwards (AVG) and it found a backdoor trojan in my temporary internet folder. Then more viruses were found. Since then people have been attacking me left right and center (although it has eventually slowed down).

Backup whatever personal files you need (data only - NO software)

What files will I be able to backup?

I have my mpeg/mov video files, jpeg/gif files and mp3's backed up.

I want to backup my favourites folder, webpages stored, .rtf documents and game saves aswell. Are these ok to backup??

The only risk I see from above is that the webpages might have java viruses, so I guess I'm going to have to let go of those.

Reinstall your system from scratch and then patch it from behind a firewall.

Do you know of any websites that give windows 98 startup disks so I can fdisk it and clear the mbr?

liamo

I clicked a weblink in yahoo messenger. I don't know why. Although I'm new to messenger (it was the first time properly on it) I knew damn well about script kiddies. It was so obvious, just wasn't thinking.

If you believe that clicking on a URL was what started everything off then would I be correct in assuming that are using Internet Explorer? And that your system might also be unpatched? Drop Internet Explorer. It's full of vunerabilities. Get one of the many other browsers available. Try Firefox from http://mozilla.org . It has very quickly become my browser of choice.

Given that you found a Trojan Backdoor on your PC and that you were experiencing a lot of "attacks" subsequently, I wonder if it was broadcasting your PC's IP on a crackers IRC channel. It may not be the case but it sounds quite plausible. You say that "people" were "attacking" you left, right and center. The way you worded this implies that you were being targeted intentionally, rather than being the passive target of (what has come to be) normal Internet virus and worm activity. Is this what you meant? What form did these attacks take? Were they successful? (Not that it's important really, I'm just interested)

As to the files that you can backup: generally, any documents (Word docs, images, mp3, mpeg, game saves, etc) are ok. Certainly, documents that contain scripts/macros (eg Word docs, excel, emails, etc) can contain nasty stuff, however I would venture that they're ok. Besides, you can always run an anti-virus scanner on them. (On a clean system, of course)

Do you know of any websites that give windows 98 startup disks so I can fdisk it and clear the mbr?

I imagine that a clean install from CD will overwrite the MBR. I am, however, open to correction.

Regards,

Liam

neXus9

If you believe that clicking on a URL was what started everything off then would I be correct in assuming that are using Internet Explorer?

Yes. I actually have mozilla (although I didn't like the way it loaded webpages). Have to drop internet explorer then and get with mozilla.

You say that "people" were "attacking" you left, right and center. The way you worded this implies that you were being targeted intentionally, rather than being the passive target of (what has come to be) normal Internet virus and worm activity. Is this what you meant?

Yes. Zonealarm has reported that Iv'e been attacked 1647 times since I installed it (188 have been highrate).

What form did these attacks take? Were they successful?

People just trying to slip through an open port. I don't think they were successful since I installed zonealarm. Although a window minimised for no reason once so I disconnected

imagine that a clean install from CD will overwrite the MBR. I am, however, open to correction.

no, you have to use a startup disk. The mbr has to be cleared manually by the dos command: fdisk/mbr

liamo

Zonealarm has reported that Iv'e been attacked 1647 times since I installed it (188 have been highrate).

I suspect that what you were seeing was the standard scans that everyone who has an always-on connection receives. My firewall logs are full of scans and my webserver logs are full of exploit attempts (of course, I'm not using IIS). This is just the standard run-of-the-mill stuff.

I think that overwriting the MBR is probably unnecessary but if you're re-installing from scratch then it won't do any harm.

Regards,

Liam

The Dr00g

Nexus9 - Your PC could be put right without a wipe and re-install. You just need to familiarize yourself with the standard PC security tools of today (and hence forth keep up with developments). You can do so by getting cracking on scanning your PC with all the tools mentioned here and in other threads in this security section.

Check out irishgoe's thread - http://www.boards.ie/vbulletin/showthread.php?s=&threadid=173378 for all the usefull links you'll need.

liamo

I agree with The Dr00g (to a point).

If there hasn't been an actual intrustion and the attacks are just the run-of-the-mill scans, then there's no need to re-install.

However, if you suspect that an instrusion may have taken place then the only way to be sure is to reinstall.

There doesn't appear to be any evidence of an intrusion and the "attacks" appear to be the usual scans. However, a Trojan Backdoor was found on your system.

I know what I'd do but it's your call. However, either way, this will have been a good learning experience.

Regards,

Liam

neXus9

Originally posted by liamo
I think that overwriting the MBR is probably unnecessary but if you're re-installing from scratch then it won't do any harm.

You can get nasty boot sector viruses that hide in the mbr.

There doesn't appear to be any evidence of an intrusion and the "attacks" appear to be the usual scans. However, a Trojan Backdoor was found on your system.

Yeah, the guy planted viruses though. I never found viruses before I clicked the weblink (I don't download warez).

Originally posted by The Dr00g
Check out irishgoe's thread - http://www.boards.ie/vbulletin/showthread.php?s=&threadid=173378 for all the usefull links you'll need.

Thanks for the link.

To be honest I probably end up wiping my hd anyway, just to make sure that my PC is secure. I buy stuff on the net, so I'm not going to risk it just in case. Iv'e stored my mp3s, videos, and pictures. I'm going to store my .rtf documents, favourites and games saves. Half of the software I have I don't use anyway and I can always reinstall my games.

Was wondering can games saves actually get viruses??

What about install packages (since I must backup kazza lite and you can't get it anymore). I also had a DVD stored on my HD and burnt in onto a DVD. Can dvd files get infected with viruses?

Any suggestions for cafes with a big bandwidth where I can redownload my software (I'm going to buy a memory stick).

Thanks very much

The Dr00g

Forgive me for not practicing what I preach 100% (i.e. not keeping totally up to date), but isn't running kazza like an open invitation to trojan/virus/hijack infection?

I find bearshare to be a decent enough file-sharing client, and the bundled adware in the free version is easily disabled.

neXus9

I have kaaza lite (actually, you can still download it!), which doesn't have any ad ware. I don't download any software on it so I'm ok in that sense. Don't know about it security wise.

The Dr00g

I dunno. I guess I should find out though. But kazza *was* a very dirty word not so long ago. I still don't like the sound of it.

zt

Any software that opens a TCP port for listening should be avoided. File sharing programs need to do this to allow file transfer.

What sort of routing have you set up between your modem and PC? Do you have a real internet IP address on your PC or a local address?

You should absolutely avoid sticking Microsoft Windows based machines directly on the Internet unless you absolutely know what you are doing. Most ADSL modems will provide the ability to use a local address for your machine (a local address is like 192.168 etc). These addresses can not be directly addressed from the Internet without activating forwarding.

Netstat is a useful tool for showing listening ports. Here are two strange listening ports from my machine:

TCP bogus:18009 bogus:0 LISTENING
TCP bogus:18080 bogus:0 LISTENING

The Dr00g is correct about NOT needed to wipe a disk. The list of tools compiled is also good.

I would finally suggest that with a particularly active machine, that may need frequent reinstallation, you partition your disk into two parts and place ONLY program files on C:\ and use the other partition for your music / pictures etc. This allows you to format the system partition while leaving your files intact.

Originally posted by The Dr00g
Forgive me for not practicing what I preach 100% (i.e. not keeping totally up to date), but isn't running kazza like an open invitation to trojan/virus/hijack infection?

I find bearshare to be a decent enough file-sharing client, and the bundled adware in the free version is easily disabled.

Capt'n Midnight

Originally posted by neXus9
I have kaaza lite (actually, you can still download it!), which doesn't have any ad ware. I don't download any software on it so I'm ok in that sense. Don't know about it security wise.

Kazza safe ? - lets face it anything you shared was probably infected. You say you didn't get any sw - betcha you got loads of files with active content which can exploit M$ holes.
eg: Within a week of a source code leak for NT4, they demonstrated an IE5 root exploit in a bitmap...

echomadman

download fprot http://www.f-prot.com/products/home_use/dos/

put it on a bootable cd, boot and scan from that.
should find/remove stuff that cant be removed from within windows

neXus9

Originally posted by zt
What sort of routing have you set up between your modem and PC? Do you have a real internet IP address on your PC or a local address?

I have a real time ip address. Can you set up a local address with a dial up connection?

I would finally suggest that with a particularly active machine, that may need frequent reinstallation, you partition your disk into two parts and place ONLY program files on C:\ and use the other partition for your music / pictures etc. This allows you to format the system partition while leaving your files intact.

Can viruses jump from one partition to the next?

Originally posted by Capt'n Midnight
Kazza safe ? - lets face it anything you shared was probably infected

The only kind of files that I have stored, other than the kazaa lite program, are mp3s and mpegs.

betcha you got loads of files with active content which can exploit M$ holes.

How do you turn these off?

Capt'n Midnight

Originally posted by neXus9
Can viruses jump from one partition to the next? They can even jump to other machines...
ILOVEYOU affected most image files by replacing them with a vb script of the same name
SLAMMER hit 90% of infectable machines worldwide (unpatched MSSQL servers) in ~10-15 minutes.

The only kind of files that I have stored, other than the kazaa lite program, are mp3s and mpegs.

How do you turn these off?

eg: Check out the vunerabilites in
Real Player http://secunia.com/product/665/
and Media Player http://secunia.com/product/1085/
(your versions may vary)

http://secunia.com/product/ for other products, don't forget you need the OS and Browser patched

neXus9

I use winamp for music (winamp used to have a vunerability in it's program but now its gone with their new version). Although I do use media player for mpegs.

I don't allow any of them to use the internet but with winamp I read that the id tags of mp3s contained viruses that affected the previous version of winamp.

Thanks for the links, especially the last one.

EDIT: Found out there's a vunerability in my version of winamp so have to upgrade.

zt

Dialup connections will have a real IP addr. Although with dialup connections it is normal for an ISP to block certain traffic.

You should have a look at:

http://www.microsoft.com/mspress/books/sampchap/5885a.asp

Some very good tips for securing Windows here. Particularly look at the bit about deactivating services. If you are running a singe machine the majority of these can be switched off.

Originally posted by neXus9
I have a real time ip address. Can you set up a local address with a dial up connection?

Can viruses jump from one partition to the next?

The only kind of files that I have stored, other than the kazaa lite program, are mp3s and mpegs.

How do you turn these off?

Mac daddy

post your hijackthis logs i will check it for you see what i can find in them

liamo

Mac daddy: Your childish and clueless comments make it quite obvious that you don't have the smallest inkling about Computer Security.

You are perfectly entitled to disagree with me however you don't need to get personal about it. And, if you do wish to disagree, you really should know what you're talking about before you do. If you had bothered to read the remainder of the thread you would have seen the conversation develop to the point where - based on further posts from the original poster - I said that it may not be necessary to re-install.

This does not, however, invalidate my first post about how to recover from a compromised system.

You will note that I am talking about a "compromised" system - not a system with an iddy-biddy wickle virus.

Don't take my word for it. People far more competent than I will give the same advise.

For example:

Microsoft.
http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx

cert.org
http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

If you feel that advise from the Security Manager at the world's largest software company and the people at CERT (you know? CERT!!) is a "crock of shlte" then anything you have to say on the subject can be safely ignored.

Go back to managing an X-box.

Mac daddy

Not helpfull to neXus9

liamo

Now who is getting personal

You are quite correct. I apologise. That was unnecessary, unhelpful and rude.

The original post opened with the author telling us that he had downloaded a "backdoor trojan virus" and that "the person has been in my PC".

My post opened with "If you have been compromised" which is what he was saying had happened. I then told the poster what is standard industry practice in the event of a compromise.

That's it. That's all. If he hasn't been compromised then I'm happy for him. If he doesn't have to re-install then that's great. My original post is perfectly valid and I've been in the unfortunate position of having to practice what I preach (only once but that was enough!) so I'm not simply copying and pasting advice from others.

That's all I have to say on the subject. I just wanted to dampen down the flames a little and justify my first post that you seem to have taken such exception to.

ecksor

Originally posted by Mac daddy
What a crock of shlte do not listen to this muppet

If the person can't be sure of the extent of the intrusion (and it's a bit vague here in places) then his advice is perfectly sound. It is the only way to be sure.

RicardoSmith

I say burn the PC and mark the front door of the house with a red cross. :ninja:

Mac daddy

Originally posted by liamo
You are quite correct. I apologise. That was unnecessary, unhelpful and rude.
That's all I have to say on the subject. I just wanted to dampen down the flames a little and justify my first post that you seem to have taken such exception to.

Were cool just a misunderstanding on my part lets just try to help neXus9 with the problem

RicardoSmith

I say hes a witch, get the stakes out, but lets dunk him first just to be on the safe side.

ecksor

How about you shut up or I'll ban you.

RicardoSmith

Originally posted by ecksor
How about you shut up or I'll ban you.

Bit harsh :eek: I'll get me coat. Bye....