Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Backdoor Trojan.....help!!!!!!!

  • 03-07-2004 1:53am
    #1
    Closed Accounts Posts: 947 ✭✭✭


    I downloaded a backdoor trojan virus and since the person has been in my PC (I'm finding other viruses in here, my crappy firewall didn't work!!), I've decided to wipe my hard drive and salvage whatever I can. I was wondering what kind of files I can keep and which ones I can't.

    Iv'e put all my pictures, video clips and mp3's on a dvd (viruse don't affect these types of files, do they??).

    I was wondering which files are safe from viruses.

    Do macro viruses infect wordpad and notepad files or do they just infect microsoft word files?????

    If they affect all of the above file types, can I just cut and paste my text into new word files, or will macro viruses just spread onto those???

    I've also got a lot of websites in favourites. Would these weblinks be infected?.

    Also Iv'e got a lot of saved webpages. What's the probability that these are infected???

    I heard that zip files may not get infected by viruses. Is this true??

    It would be cool if someone had a list of the files not harmed by viruses.

    Iv'e got zonealarm now, so it seems to be keeping the script kiddies at bay. Iv'e tried a number of virus scanners:

    AVG
    Trend micro internet security
    Kespersky
    Mcafee security centre

    (Currenty downloading trial for Panda titanium antivirus 2004)

    It's a pain because I know damn well that there's no other choice but to clear my hard drive. There's always going to be one bastid that slips through all the antivirus scanners.:(

    I found the hacker army a virus on my system which couldn't be deleted by the antivirus scanner. It was either in my temp folder or temporary internet folder. I cleared both and the scan doesn't pick it up anymore.

    Thank you!!:) :):)


Comments

  • Closed Accounts Posts: 1,028 ✭✭✭The Dr00g


    Are you talking to yourself?

    Do you still have a problem or not?

    See my post to zaph for info on software and tools you need to combat virus/torjan/browser-hijack @ http://www.boards.ie/vbulletin/showthread.php?s=&postid=1741886#post1741886

    You don't necessarily have to wipe your PC.


  • Closed Accounts Posts: 947 ✭✭✭neXus9


    Originally posted by The Dr00g
    Are you talking to yourself?
    No.
    Do you still have a problem or not?
    I thought I cleared the backdoor trojan but i'm still getting people trying to get into my PC (guess I have more than one backdoor trojan).

    I have zone alarm and it seems to be keeping my PC safe.

    I downloaded hijackthis and am currently checking out the result it's given.

    Thanks for the link.


  • Registered Users, Registered Users 2 Posts: 37,316 ✭✭✭✭the_syco


    Plug out you cable (RJ45, patch-cable, etc), and reboot your PC into safe mode. Once in safe mode, run a virus scan. This'll detect any virus's that may be hiding behind a legit process.

    As for the virus -v- files; any file can be attacked by a virus.


  • Closed Accounts Posts: 947 ✭✭✭neXus9


    I ran AVG in safe mode. I didn't run all the virus scanners in safe mode though (should of). I'll have to do them again, then.


  • Registered Users, Registered Users 2 Posts: 1,193 ✭✭✭liamo


    Hi neXus9,

    If you have been compromised and badguys have been wandering around your machine, then the ONLY ONLY ONLY way to address this is to
    1) Take the machine off the network
    2) Backup whatever personal files you need (data only - NO software)
    3) Reinstall your system from scratch and then patch it from behind a firewall.

    If your system has been compromised then there is nothing about your system that you can trust. You can't trust the reports that your system is giving you about running processes so you can't know with any certainty that there aren't numerous backdoors installed.

    Sorry about the bleak advice but if you want to be sure then you have to bite the bullet.

    Regards,

    Liam


  • Advertisement
  • Closed Accounts Posts: 1,028 ✭✭✭The Dr00g


    Indeed, the cart should not go before the horse. Ooh er, that's rather a confusing pun isn't it. :p

    Seriously... Nexus9, how do you know a "person" has been messing inside your PC?


  • Closed Accounts Posts: 947 ✭✭✭neXus9


    I clicked a weblink in yahoo messenger. I don't know why. Although I'm new to messenger (it was the first time properly on it) I knew damn well about script kiddies. It was so obvious, just wasn't thinking.:o :(

    I had a crappy built in pc cillin firewall that didn't work.

    Ran the scanner afterwards (AVG) and it found a backdoor trojan in my temporary internet folder. Then more viruses were found. Since then people have been attacking me left right and center (although it has eventually slowed down).
    Backup whatever personal files you need (data only - NO software)
    What files will I be able to backup?

    I have my mpeg/mov video files, jpeg/gif files and mp3's backed up.

    I want to backup my favourites folder, webpages stored, .rtf documents and game saves aswell. Are these ok to backup??

    The only risk I see from above is that the webpages might have java viruses, so I guess I'm going to have to let go of those.
    Reinstall your system from scratch and then patch it from behind a firewall.
    Do you know of any websites that give windows 98 startup disks so I can fdisk it and clear the mbr?


  • Registered Users, Registered Users 2 Posts: 1,193 ✭✭✭liamo


    I clicked a weblink in yahoo messenger. I don't know why. Although I'm new to messenger (it was the first time properly on it) I knew damn well about script kiddies. It was so obvious, just wasn't thinking.

    If you believe that clicking on a URL was what started everything off then would I be correct in assuming that are using Internet Explorer? And that your system might also be unpatched? Drop Internet Explorer. It's full of vunerabilities. Get one of the many other browsers available. Try Firefox from http://mozilla.org . It has very quickly become my browser of choice.

    Given that you found a Trojan Backdoor on your PC and that you were experiencing a lot of "attacks" subsequently, I wonder if it was broadcasting your PC's IP on a crackers IRC channel. It may not be the case but it sounds quite plausible. You say that "people" were "attacking" you left, right and center. The way you worded this implies that you were being targeted intentionally, rather than being the passive target of (what has come to be) normal Internet virus and worm activity. Is this what you meant? What form did these attacks take? Were they successful? (Not that it's important really, I'm just interested)

    As to the files that you can backup: generally, any documents (Word docs, images, mp3, mpeg, game saves, etc) are ok. Certainly, documents that contain scripts/macros (eg Word docs, excel, emails, etc) can contain nasty stuff, however I would venture that they're ok. Besides, you can always run an anti-virus scanner on them. (On a clean system, of course)
    Do you know of any websites that give windows 98 startup disks so I can fdisk it and clear the mbr?

    I imagine that a clean install from CD will overwrite the MBR. I am, however, open to correction.

    Regards,

    Liam


  • Closed Accounts Posts: 947 ✭✭✭neXus9


    If you believe that clicking on a URL was what started everything off then would I be correct in assuming that are using Internet Explorer?
    Yes. I actually have mozilla (although I didn't like the way it loaded webpages). Have to drop internet explorer then and get with mozilla.
    You say that "people" were "attacking" you left, right and center. The way you worded this implies that you were being targeted intentionally, rather than being the passive target of (what has come to be) normal Internet virus and worm activity. Is this what you meant?
    Yes. Zonealarm has reported that Iv'e been attacked 1647 times since I installed it (188 have been highrate).
    What form did these attacks take? Were they successful?
    People just trying to slip through an open port. I don't think they were successful since I installed zonealarm. Although a window minimised for no reason once so I disconnected
    imagine that a clean install from CD will overwrite the MBR. I am, however, open to correction.
    no, you have to use a startup disk. The mbr has to be cleared manually by the dos command: fdisk/mbr


  • Registered Users, Registered Users 2 Posts: 1,193 ✭✭✭liamo


    Zonealarm has reported that Iv'e been attacked 1647 times since I installed it (188 have been highrate).

    I suspect that what you were seeing was the standard scans that everyone who has an always-on connection receives. My firewall logs are full of scans and my webserver logs are full of exploit attempts (of course, I'm not using IIS). This is just the standard run-of-the-mill stuff.

    I think that overwriting the MBR is probably unnecessary but if you're re-installing from scratch then it won't do any harm.

    Regards,

    Liam


  • Advertisement
  • Closed Accounts Posts: 1,028 ✭✭✭The Dr00g


    Nexus9 - Your PC could be put right without a wipe and re-install. You just need to familiarize yourself with the standard PC security tools of today (and hence forth keep up with developments). You can do so by getting cracking on scanning your PC with all the tools mentioned here and in other threads in this security section.

    Check out irishgoe's thread - http://www.boards.ie/vbulletin/showthread.php?s=&threadid=173378 for all the usefull links you'll need.


  • Registered Users, Registered Users 2 Posts: 1,193 ✭✭✭liamo


    I agree with The Dr00g (to a point).

    If there hasn't been an actual intrustion and the attacks are just the run-of-the-mill scans, then there's no need to re-install.

    However, if you suspect that an instrusion may have taken place then the only way to be sure is to reinstall.

    There doesn't appear to be any evidence of an intrusion and the "attacks" appear to be the usual scans. However, a Trojan Backdoor was found on your system.

    I know what I'd do but it's your call. However, either way, this will have been a good learning experience.

    Regards,

    Liam


  • Closed Accounts Posts: 947 ✭✭✭neXus9


    Originally posted by liamo
    I think that overwriting the MBR is probably unnecessary but if you're re-installing from scratch then it won't do any harm.
    You can get nasty boot sector viruses that hide in the mbr.
    There doesn't appear to be any evidence of an intrusion and the "attacks" appear to be the usual scans. However, a Trojan Backdoor was found on your system.
    Yeah, the guy planted viruses though. I never found viruses before I clicked the weblink (I don't download warez).
    Originally posted by The Dr00g
    Check out irishgoe's thread - http://www.boards.ie/vbulletin/showthread.php?s=&threadid=173378 for all the usefull links you'll need.
    Thanks for the link.

    To be honest I probably end up wiping my hd anyway, just to make sure that my PC is secure. I buy stuff on the net, so I'm not going to risk it just in case. Iv'e stored my mp3s, videos, and pictures. I'm going to store my .rtf documents, favourites and games saves. Half of the software I have I don't use anyway and I can always reinstall my games.

    Was wondering can games saves actually get viruses??

    What about install packages (since I must backup kazza lite and you can't get it anymore). I also had a DVD stored on my HD and burnt in onto a DVD. Can dvd files get infected with viruses?

    Any suggestions for cafes with a big bandwidth where I can redownload my software (I'm going to buy a memory stick).

    Thanks very much


  • Closed Accounts Posts: 1,028 ✭✭✭The Dr00g


    Forgive me for not practicing what I preach 100% (i.e. not keeping totally up to date), but isn't running kazza like an open invitation to trojan/virus/hijack infection?

    I find bearshare to be a decent enough file-sharing client, and the bundled adware in the free version is easily disabled.


  • Closed Accounts Posts: 947 ✭✭✭neXus9


    I have kaaza lite (actually, you can still download it!), which doesn't have any ad ware. I don't download any software on it so I'm ok in that sense. Don't know about it security wise.


  • Closed Accounts Posts: 1,028 ✭✭✭The Dr00g


    I dunno. I guess I should find out though. But kazza *was* a very dirty word not so long ago. I still don't like the sound of it. :p


  • Closed Accounts Posts: 79 ✭✭zt


    Any software that opens a TCP port for listening should be avoided. File sharing programs need to do this to allow file transfer.

    What sort of routing have you set up between your modem and PC? Do you have a real internet IP address on your PC or a local address?

    You should absolutely avoid sticking Microsoft Windows based machines directly on the Internet unless you absolutely know what you are doing. Most ADSL modems will provide the ability to use a local address for your machine (a local address is like 192.168 etc). These addresses can not be directly addressed from the Internet without activating forwarding.

    Netstat is a useful tool for showing listening ports. Here are two strange listening ports from my machine:

    TCP bogus:18009 bogus:0 LISTENING
    TCP bogus:18080 bogus:0 LISTENING

    The Dr00g is correct about NOT needed to wipe a disk. The list of tools compiled is also good.

    I would finally suggest that with a particularly active machine, that may need frequent reinstallation, you partition your disk into two parts and place ONLY program files on C:\ and use the other partition for your music / pictures etc. This allows you to format the system partition while leaving your files intact.

    Originally posted by The Dr00g
    Forgive me for not practicing what I preach 100% (i.e. not keeping totally up to date), but isn't running kazza like an open invitation to trojan/virus/hijack infection?

    I find bearshare to be a decent enough file-sharing client, and the bundled adware in the free version is easily disabled.


  • Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 93,563 Mod ✭✭✭✭Capt'n Midnight


    Originally posted by neXus9
    I have kaaza lite (actually, you can still download it!), which doesn't have any ad ware. I don't download any software on it so I'm ok in that sense. Don't know about it security wise.
    Kazza safe ? - lets face it anything you shared was probably infected. You say you didn't get any sw - betcha you got loads of files with active content which can exploit M$ holes.
    eg: Within a week of a source code leak for NT4, they demonstrated an IE5 root exploit in a bitmap...


  • Registered Users, Registered Users 2 Posts: 1,472 ✭✭✭echomadman


    download fprot http://www.f-prot.com/products/home_use/dos/

    put it on a bootable cd, boot and scan from that.
    should find/remove stuff that cant be removed from within windows


  • Closed Accounts Posts: 947 ✭✭✭neXus9


    Originally posted by zt
    What sort of routing have you set up between your modem and PC? Do you have a real internet IP address on your PC or a local address?
    I have a real time ip address. Can you set up a local address with a dial up connection?
    I would finally suggest that with a particularly active machine, that may need frequent reinstallation, you partition your disk into two parts and place ONLY program files on C:\ and use the other partition for your music / pictures etc. This allows you to format the system partition while leaving your files intact.
    Can viruses jump from one partition to the next?
    Originally posted by Capt'n Midnight
    Kazza safe ? - lets face it anything you shared was probably infected
    The only kind of files that I have stored, other than the kazaa lite program, are mp3s and mpegs.
    betcha you got loads of files with active content which can exploit M$ holes.
    How do you turn these off?


  • Advertisement
  • Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 93,563 Mod ✭✭✭✭Capt'n Midnight


    Originally posted by neXus9
    Can viruses jump from one partition to the next? They can even jump to other machines...
    ILOVEYOU affected most image files by replacing them with a vb script of the same name
    SLAMMER hit 90% of infectable machines worldwide (unpatched MSSQL servers) in ~10-15 minutes.

    The only kind of files that I have stored, other than the kazaa lite program, are mp3s and mpegs.

    How do you turn these off?
    eg: Check out the vunerabilites in
    Real Player http://secunia.com/product/665/
    and Media Player http://secunia.com/product/1085/
    (your versions may vary)

    http://secunia.com/product/ for other products, don't forget you need the OS and Browser patched


  • Closed Accounts Posts: 947 ✭✭✭neXus9


    I use winamp for music (winamp used to have a vunerability in it's program but now its gone with their new version). Although I do use media player for mpegs.

    I don't allow any of them to use the internet but with winamp I read that the id tags of mp3s contained viruses that affected the previous version of winamp.

    Thanks for the links, especially the last one.

    EDIT: Found out there's a vunerability in my version of winamp so have to upgrade.


  • Closed Accounts Posts: 79 ✭✭zt


    Dialup connections will have a real IP addr. Although with dialup connections it is normal for an ISP to block certain traffic.

    You should have a look at:

    http://www.microsoft.com/mspress/books/sampchap/5885a.asp

    Some very good tips for securing Windows here. Particularly look at the bit about deactivating services. If you are running a singe machine the majority of these can be switched off.

    Originally posted by neXus9
    I have a real time ip address. Can you set up a local address with a dial up connection?

    Can viruses jump from one partition to the next?

    The only kind of files that I have stored, other than the kazaa lite program, are mp3s and mpegs.

    How do you turn these off?


  • Registered Users, Registered Users 2 Posts: 2,942 ✭✭✭Mac daddy


    post your hijackthis logs i will check it for you :) see what i can find in them


  • Registered Users, Registered Users 2 Posts: 1,193 ✭✭✭liamo


    Mac daddy: Your childish and clueless comments make it quite obvious that you don't have the smallest inkling about Computer Security.

    You are perfectly entitled to disagree with me however you don't need to get personal about it. And, if you do wish to disagree, you really should know what you're talking about before you do. If you had bothered to read the remainder of the thread you would have seen the conversation develop to the point where - based on further posts from the original poster - I said that it may not be necessary to re-install.

    This does not, however, invalidate my first post about how to recover from a compromised system.

    You will note that I am talking about a "compromised" system - not a system with an iddy-biddy wickle virus.

    Don't take my word for it. People far more competent than I will give the same advise.

    For example:

    Microsoft.
    http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx

    cert.org
    http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

    If you feel that advise from the Security Manager at the world's largest software company and the people at CERT (you know? CERT!!) is a "crock of shlte" then anything you have to say on the subject can be safely ignored.

    Go back to managing an X-box.


  • Registered Users, Registered Users 2 Posts: 2,942 ✭✭✭Mac daddy


    Not helpfull to neXus9 :)


  • Registered Users, Registered Users 2 Posts: 1,193 ✭✭✭liamo


    Now who is getting personal
    You are quite correct. I apologise. That was unnecessary, unhelpful and rude.

    The original post opened with the author telling us that he had downloaded a "backdoor trojan virus" and that "the person has been in my PC".

    My post opened with "If you have been compromised" which is what he was saying had happened. I then told the poster what is standard industry practice in the event of a compromise.

    That's it. That's all. If he hasn't been compromised then I'm happy for him. If he doesn't have to re-install then that's great. My original post is perfectly valid and I've been in the unfortunate position of having to practice what I preach (only once but that was enough!) so I'm not simply copying and pasting advice from others.

    That's all I have to say on the subject. I just wanted to dampen down the flames a little and justify my first post that you seem to have taken such exception to.


  • Moderators, Social & Fun Moderators Posts: 10,501 Mod ✭✭✭✭ecksor


    Originally posted by Mac daddy
    What a crock of shlte do not listen to this muppet

    If the person can't be sure of the extent of the intrusion (and it's a bit vague here in places) then his advice is perfectly sound. It is the only way to be sure.


  • Closed Accounts Posts: 8,264 ✭✭✭RicardoSmith


    I say burn the PC and mark the front door of the house with a red cross. :ninja:


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 2,942 ✭✭✭Mac daddy


    Originally posted by liamo
    You are quite correct. I apologise. That was unnecessary, unhelpful and rude.
    That's all I have to say on the subject. I just wanted to dampen down the flames a little and justify my first post that you seem to have taken such exception to.

    Were cool just a misunderstanding on my part :) lets just try to help neXus9 with the problem


  • Closed Accounts Posts: 8,264 ✭✭✭RicardoSmith


    I say hes a witch, get the stakes out, but lets dunk him first just to be on the safe side.


  • Moderators, Social & Fun Moderators Posts: 10,501 Mod ✭✭✭✭ecksor


    How about you shut up or I'll ban you.


  • Closed Accounts Posts: 8,264 ✭✭✭RicardoSmith


    Originally posted by ecksor
    How about you shut up or I'll ban you.

    Bit harsh :eek: I'll get me coat. Bye....


Advertisement