Backdoor.Trojan

[LPV]

A client of mine has told me he has the Backdoor.Trojan 'virus' on his
system (WinXP Home) being reported by his anti-virus program. He is using
NAV 2002 as his anti-virus program. He has told me that he has been
regularly updating NAV. I will be going to his home tomorrow (22 July) to
attempt to get things straightened out for him.

Here's my question (or questions):

1. I've Googled and visited the Symantec website to familiarize myself
about the Backdoor.Trojan 'virus'. From what I've read, it seems that
Backdoor.Trojan refers to a group (or family) of Backdoor virii. Is this
correct? Or, is there in fact a virus named Backdoor.Trojan and I'm just
too stupid to pick up on it?

2. If there is in fact a virus called Backdoor.Trojan, is there a removal
tool available? If so, does anyone know where I can dl it? I'm able to
find removal tools for other Backdoor-type virii (for example,
Backdoor.Autoupder), but can't find one for Backdoor.Trojan (which is
something which leads me to believe Backdoor.Trojan refers to a group of
Backdoor-type virii).

3. Does anyone have any suggestions/ideas that might help in cleaning this
Backdoor.Trojan?


Thanks much!

Loren

 

[null]

A client of mine has told me he has the Backdoor.Trojan 'virus' on his
system (WinXP Home) being reported by his anti-virus program. He is using
NAV 2002 as his anti-virus program. He has told me that he has been
regularly updating NAV. I will be going to his home tomorrow (22 July) to
attempt to get things straightened out for him.

Here's my question (or questions):

1. I've Googled and visited the Symantec website to familiarize myself
about the Backdoor.Trojan 'virus'. From what I've read, it seems that
Backdoor.Trojan refers to a group (or family) of Backdoor virii. Is this
correct? Or, is there in fact a virus named Backdoor.Trojan and I'm just
too stupid to pick up on it?

Take a look at this Project VGREP hit for NAV's backdoor.trojan alert.

http://www.virusbtn.com/resources/v...ackdoor.trojan&complete=1&product=11&offset=0

As you go through the various pages (1-5), (6-10) .... you'll see that
NAV does indeed produce that alert for a large number of malwares. It
very much looks like it produces that alert for spyware or adware as
well. So you don't know what you're dealing with. You'll have to scan
with Spybot and AdAware. And you might want to use at least one other
av scanner as well.


Art
http://www.epix.net/~artnpeg

 

[Reg Mouatt]

A client of mine has told me he has the Backdoor.Trojan 'virus' on his
system (WinXP Home) being reported by his anti-virus program. He is using
NAV 2002 as his anti-virus program. He has told me that he has been
regularly updating NAV. I will be going to his home tomorrow (22 July) to
attempt to get things straightened out for him.

Here's my question (or questions):

1. I've Googled and visited the Symantec website to familiarize myself
about the Backdoor.Trojan 'virus'. From what I've read, it seems that
Backdoor.Trojan refers to a group (or family) of Backdoor virii. Is this
correct? Or, is there in fact a virus named Backdoor.Trojan and I'm just
too stupid to pick up on it?

2. If there is in fact a virus called Backdoor.Trojan, is there a removal
tool available? If so, does anyone know where I can dl it? I'm able to
find removal tools for other Backdoor-type virii (for example,
Backdoor.Autoupder), but can't find one for Backdoor.Trojan (which is
something which leads me to believe Backdoor.Trojan refers to a group of
Backdoor-type virii).

3. Does anyone have any suggestions/ideas that might help in cleaning this
Backdoor.Trojan?


Thanks much!

Loren

I responded recently to someone using AVG Free which had identified
something called Backdoor.Agent.BA The only help I could give was to
post a Google link
http://www.google.com/search?sourceid=mozclient&ie=utf-8&oe=utf-8&q=Trojan+horse+Backdoor.Agent.BA

There may be variations but not known to me, Sorry. I do not use XP
but am aware that the System Restore feature should be closed down
prior to removal as this can continually re-infect. My apologies if I
am attempting to teach my Granny to suck eggs. Good luck with the
problem.

Reg

 

[Reg Mouatt]

I responded recently to someone using AVG Free which had identified
something called Backdoor.Agent.BA The only help I could give was to
post a Google link
http://www.google.com/search?sourceid=mozclient&ie=utf-8&oe=utf-8&q=Trojan+horse+Backdoor.Agent.BA

There may be variations but not known to me, Sorry. I do not use XP
but am aware that the System Restore feature should be closed down
prior to removal as this can continually re-infect. My apologies if I
am attempting to teach my Granny to suck eggs. Good luck with the
problem.

Reg

PS
http://www.google.com/search?sourceid=mozclient&ie=utf-8&oe=utf-8&q=backdoor+trojan

Reg

 

[LPV]

(snip)

Thanks, Art!

Take a look at this Project VGREP hit for NAV's backdoor.trojan alert.

http://www.virusbtn.com/resources/v...ackdoor.trojan&complete=1&product=11&offset=0

Good site. I've got it bookmarked.

As you go through the various pages (1-5), (6-10) .... you'll see that
NAV does indeed produce that alert for a large number of malwares. It
very much looks like it produces that alert for spyware or adware as
well. So you don't know what you're dealing with. You'll have to scan
with Spybot and AdAware. And you might want to use at least one other
av scanner as well.

That's pretty much the conclusion I'd drawn based on my research. Your
cited source and explanation seems to confirm that. I'll be loading up with
Spybot 1.3 and AdAware (thinking about taking CWShredder, also) to do
battle. I've got some other av apps that I'll use in addition to NAV.

Thanks again!

Loren

 

[LPV]

(snip)

I responded recently to someone using AVG Free which had identified
something called Backdoor.Agent.BA The only help I could give was to
post a Google link

http://www.google.com/search?sourceid=mozclient&ie=utf-8&oe=utf-8&q=Trojan+horse+Backdoor.Agent.BA

Thanks for the link, Reg. Although it refers only to a specific version of
a Backdoor Trojan, it was still helpful. It gave me insight relative to a
potential trojan I may have to deal with.

There may be variations but not known to me, Sorry. I do not use XP
but am aware that the System Restore feature should be closed down
prior to removal as this can continually re-infect. My apologies if I
am attempting to teach my Granny to suck eggs. Good luck with the
problem.

I think you're right about there being different variations of
Backdoor.Trojan.

Please don't apologize for "attempting to teach Granny to suck eggs". As an
old egg-sucker myself, there's no such thing as knowing everything (for me,
anyway). That's why I appreciate each and every effort to help me in my
Backdoor.Trojan ass-kicking attempt.

Thanks again.

Loren

p.s. I agree about disabling System Restore - Microsoft and Symantec both
recommended the same thing for specific types of Backdoor trojan removal, so
it seems logical that it should be done when dealing with a 'family' of this
type of trojan.

 

[LPV]

(snip)

http://www.google.com/search?sourceid=mozclient&ie=utf-8&oe=utf-8&q=backdoor+trojan

Reg

Thanks, Reg!

Loren

 

[Patty]

Take a look at this Project VGREP hit for NAV's backdoor.trojan alert.

http://www.virusbtn.com/resources/v...ackdoor.trojan&complete=1&product=11&offset=0

As you go through the various pages (1-5), (6-10) .... you'll see that
NAV does indeed produce that alert for a large number of malwares. It
very much looks like it produces that alert for spyware or adware as
well. So you don't know what you're dealing with. You'll have to scan
with Spybot and AdAware. And you might want to use at least one other
av scanner as well.


Art
http://www.epix.net/~artnpeg

I have a similar problem with my boss's computer. Norton reported a
backdoor sdbot virus in a file called aolmsngr.exe. I did a search for the
backdoor virus group and found out how to remove that file so I did that.
The message that Norton was giving went away (you could not get it off the
screen by clicking "ok" before, it stayed onscreen). That said... I ran
Norton in Safe Mode. It repaired 3 files (haven't a clue what they were
since I could see no way to find out) and it found hundreds of malware and
spyware files. But, it said it could not remove them all (this is in safe
mode). So, I ran spybot which removed some files. I ran adaware which
removed more. I believe, however, he's still infected with something since
I can't run msconfig or regedit in regular windows mode, only in safe mode.
One file that ZoneAlarm kept asking about (and which I denied internet
access for) was MSNGuyen.exe. I did a google search of this file and found
a mention to a "bestfriends.scr" which can be picked up through AIM. The
information alsos mentions that having this virus will prevent you from
running regedit or msconfig (they just flash on the screen for a second and
close). I have instructions to remove that now. But, my question is, why
didn't Norton remove this stuff when I ran it in Safe Mode? Is Norton not
all that it's cracked up to be? And why do none of virus encyclopedias
(Norton or McAfee) even mention this virus? And how did they get infected
in the first place since he runs Norton Antivirus in the background?

Thanks, sorry this is so long, but I'm trying to get his home computer
cleaned up before I leave for vacation next week.

Patty

 

[null]

I have instructions to remove that now. But, my question is, why
didn't Norton remove this stuff when I ran it in Safe Mode?

Norton can't remove what it can't pinpoint.

Is Norton not
all that it's cracked up to be?

Is that a surprise?

And why do none of virus encyclopedias
(Norton or McAfee) even mention this virus?

What did other av products have to say when you scanned with them?

And how did they get infected
in the first place since he runs Norton Antivirus in the background?

Easy. He doesn't practice safe hex.

Thanks, sorry this is so long, but I'm trying to get his home computer
cleaned up before I leave for vacation next week.

Here's some reading for you and your boss:

http://www.claymania.com/safe-hex.html

Have fun on your vacation


Art
http://www.epix.net/~artnpeg

 

[Patty]

Norton can't remove what it can't pinpoint.


Is that a surprise?


What did other av products have to say when you scanned with them?


Easy. He doesn't practice safe hex.


Here's some reading for you and your boss:

http://www.claymania.com/safe-hex.html

Have fun on your vacation


Art
http://www.epix.net/~artnpeg

Thanks, Art. I know all about safe hex, but sadly he and his teenage sons
do not. <sigh> I have to go over to his house regularly and clean this
junk out of his computer. He does know to run adaware on a regular basis,
I changed his settings on Norton to update automatically too.

I finally got it all cleaned out. There's just only so much I can do in a
couple hours. Hopefully he'll be good for a few weeks now.

Patty

 

[LPV]

Art wrote:

(some snipped)


Patty replied:

Thanks, Art. I know all about safe hex, but sadly he and his teenage sons
do not. <sigh> I have to go over to his house regularly and clean this
junk out of his computer. He does know to run adaware on a regular basis,
I changed his settings on Norton to update automatically too.

I finally got it all cleaned out. There's just only so much I can do in a
couple hours. Hopefully he'll be good for a few weeks now.

Congrats, Patty! I hope your boss reimburses you for the time you spent
cleaning up his mess.

(I previously wrote about one of my client's Backdoor.Trojan issues.)

I just got back from cleaning my client's system. Geez, Louise, did he have
a bunch of garbage on it. Dialers, Home Page Hijackers, etc., etc. Used
AdAware, Spybot 1.3, CWShredder, and the latest version of NAV Internet
Security to do it. I had to manually delete some of the crap that NAV
identified but was unable to delete. Finally came up with (to my eyes,
anyway) a once-again clean system. I spent time with him going over (again)
the importance of updating/running these programs. Time will tell if the
advice is taken.

Loren

 

[LPV]

Art wrote:


(snip)

Here's some reading for you and your boss:

http://www.claymania.com/safe-hex.html

That's site's a keeper, Art. Should be mandatory reading for everyone
before they are allowed to get an internet connection. But wait - that
would cut into my business revenue, so - - I take it back (grin).

Loren

 

[Patty]

Art wrote:


(snip)



That's site's a keeper, Art. Should be mandatory reading for everyone
before they are allowed to get an internet connection. But wait - that
would cut into my business revenue, so - - I take it back (grin).

Loren

Yeah, I should print it out and give it to my boss, but I know his sons
wouldn't bother to read it. Btw, he does pay me very well, so I can't
complain.

Patty