I have a virus

P

Peter Morris

I've run AVG which shows I have several instances of
Trojan horse Backdoor.Beastdoor.HW.

Having detected them it is unable to move them to the virus vault.


What do I do about it, please?
 
D

Diogenes

Peter said:
I've run AVG which shows I have several instances of
Trojan horse Backdoor.Beastdoor.HW.

Having detected them it is unable to move them to the virus vault.

What do I do about it, please?
Click to expand...


First, _Never_ believe AVG!

Second, just in case there really is a Trojan on your PC, it can't be removed
when it hides in the System Restore folder. Turn System Restore off and
reboot; virus/trojan/worm = gone.
 
R

Richard

AVG is a good antivirus but it doesn't supply much in the
way of removal tools.
Try running "SWAT IT" this is a trojan and worm detector
and removal tool, you can search "swat it" on google and
then download a trial version. You can also download a
repair tool from symantec but be sure to switch off
system restore before using it, other wise the repair
tool will not gain access to all the system files on your
hard drive.
Richard.
 
R

Rick \Nutcase\ Rogers

There isn't, it's more likely that the original poster is either using
out-of-date definitions, or has it disabled.

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Windows
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone
 
S

Steve N.

I was replying to diogenes saying not to believe AVG, but thank you.

BTW & OT, do you know why when I reply to your messages (and some
other's) it only shows just your text and not the rest in the thread?
I'm using NS Composer and I don't see any setting about that.

Steve
 
R

Rick \Nutcase\ Rogers

Hi Steve,

I was trying to let you know that there are no problems with AVG, and that
Diogenes statement was inaccurate.

Can't answer you about the reply problem, I know nothing of NS composer.
haven't used anything netscape since the name became synonymous with aol.

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Windows
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone
 
P

Peter Morris

Rick "Nutcase" Rogers said:
There isn't, it's more likely that the original poster is either using
out-of-date definitions, or has it disabled.
Click to expand...

No, I updated the definitions before scanning, and I have it enabled.
 
R

Rick \Nutcase\ Rogers

Hi,

It's a result of a virus, just a different one. Likely swen or a klez
variant. While you clean up, use the emergency tools described here:
http://www.dougknox.com/xp/utils/xp_emerutils.htm

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Windows
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone
 
R

Rick \Nutcase\ Rogers

Hi,

As evidenced by your other response, you have more than one infecting agent
on your system. Several of these disable antivirus software, including AVG,
though they appear to be running. Updated or not, if it's not running it
isn't doing you much good.

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Windows
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone
 
D

d2004xx

Peter Morris said:
I've run AVG which shows I have several instances of
Trojan horse Backdoor.Beastdoor.HW.

Having detected them it is unable to move them to the virus vault.


What do I do about it, please?
Click to expand...

forget it.
 
Z

Z

Peter said:
I've run AVG which shows I have several instances of
Trojan horse Backdoor.Beastdoor.HW.

Having detected them it is unable to move them to the virus vault.

What do I do about it, please?
Click to expand...

Are they in the System Restore folder?

Have you tried booting to Safe Mode, and then running AVG?
 
P

PK

Hmmm, problem -

1st step - run task manager and stop certain processes.

Every time I try to run taskmanager, it closes after 1 second,
I can't use it.

This may, or may not, be the result of the virus.

Any suggestions?
Click to expand...


Run AVG or another virus cleaner in safe mode.
 
J

Jim Carlock

You might need to check some other things as well.

Certain programs are not viruses and will never be viruses,
but they open your system up.

One such file is the Serv-U ftp program. You should visit
www.grc.com and click on the Shields Up! link and tell
it to scan all ports. It'll take a couple minutes but it'll tell
you which ports it can connect to you through. I'm thinking
FTP is either port 21 or 23 (one of the two).

You really shouldn't see any open ports on your system.

If you do, post back to the newsgroup explaining which
ports are open.

The serv-u.exe program can have any name in the world,
and it will never be detected as a virus. What it does, is
open up the FTP port, but any port in the world can be
used for FTP transmissions, so... any open ports will
could mean your system has been compromised.

Let us know.

--
Jim Carlock
http://www.microcosmotalk.com/
Post replies to the newsgroup.



Rick "Nutcase" Rogers said:
There isn't, it's more likely that the original poster is either using
out-of-date definitions, or has it disabled.
Click to expand...

No, I updated the definitions before scanning, and I have it enabled.
 
P

Peter Morris

Jim Carlock said:
You might need to check some other things as well.

Certain programs are not viruses and will never be viruses,
but they open your system up.

One such file is the Serv-U ftp program. You should visit
www.grc.com and click on the Shields Up! link and tell
it to scan all ports. It'll take a couple minutes but it'll tell
you which ports it can connect to you through. I'm thinking
FTP is either port 21 or 23 (one of the two).

You really shouldn't see any open ports on your system.

If you do, post back to the newsgroup explaining which
ports are open.

The serv-u.exe program can have any name in the world,
and it will never be detected as a virus. What it does, is
open up the FTP port, but any port in the world can be
used for FTP transmissions, so... any open ports will
could mean your system has been compromised.

Let us know.
Click to expand...

Alright, TaskManager is showing that I'm definitely running serve-u.
How do I get rid of it?

As for ports, I ran the link, and it showed lots of open ports. So
I adjusted my firewall settings, now its showing no open ports.



Here's the ports that were open.

==========================

GRC Port Authority Report created on UTC: 2004-04-19 at 17:58:29

Results from scan of ports: 0, 21-23, 25, 79, 80, 110, 113,
119, 135, 139, 143, 389, 443, 445,
1002, 1024-1030, 1720, 5000

11 Ports Open
15 Ports Closed
0 Ports Stealth
---------------------
26 Ports Tested

NO PORTS were found to be STEALTH.

Ports found to be OPEN were: 21, 25, 80, 113, 135, 139, 443,
445, 1025, 1026, 1027

Other than what is listed above, all ports are CLOSED.

TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED.
 
J

Jim Carlock

Peter,

Report back with a list of the programs that are running in
your taskbar. Folks here should be able recognize programs
that compromise your system.

Also, if you've got the Serv-U program on your system, do a
search through all files on the system. Typically hackers tend
to set it up in the root directory of your system, but it can be
anywhere.

I'm not fully qualified as to everything that's possible, but I'm
betting that the date on your ntdll.dll file is problem more
recent than what you're supposed to have. ntdll.dll is hacked
at times and folks add routines to it to open your system up.

I'd assume that your system has been totally compromised.
And the quickest way to fix it would be to format the HDD,
and reinstall XP. I spent two weeks of full time work trying
to reconfigure a Win2k server once, and finally ended up
deleting all the files in the Windows folder, in the Program
Files folder, and reinstalled Win2k.

If you want to take on the challenge though, post back with
the following information:

1) List of all tasks that are running. Folks here will be able
to help identify different things.
2) To help us out as well, keep notes about what you are
doing. This will provide a great reference to you and us,
and I'd appreciate the effort, as will others.

I will do my best to help out, but I'm not perfect and I do
not know everything, and cannot guarantee anything.

And it might end up taking a couple weeks to get
everything right. I'd recommend using ZoneAlarm, unless
someone else can recommend using a better firewall.

ZoneAlarm can be found at http://www.zonelabs.com/.
They currently offer a free trial which I think is 60 days,
I don't recommend buying it right at the moment because
while it is a good product, it needs some serious reworking,
but it will help you out tremendously.

I look forward to someone else that might be able to suggest
other firewalls.

--
Jim Carlock
http://www.microcosmotalk.com/
Post replies to the newsgroup.



Jim Carlock said:
You might need to check some other things as well.

Certain programs are not viruses and will never be viruses,
but they open your system up.

One such file is the Serv-U ftp program. You should visit
www.grc.com and click on the Shields Up! link and tell
it to scan all ports. It'll take a couple minutes but it'll tell
you which ports it can connect to you through. I'm thinking
FTP is either port 21 or 23 (one of the two).

You really shouldn't see any open ports on your system.

If you do, post back to the newsgroup explaining which
ports are open.

The serv-u.exe program can have any name in the world,
and it will never be detected as a virus. What it does, is
open up the FTP port, but any port in the world can be
used for FTP transmissions, so... any open ports will
could mean your system has been compromised.

Let us know.
Click to expand...

Alright, TaskManager is showing that I'm definitely running serve-u.
How do I get rid of it?

As for ports, I ran the link, and it showed lots of open ports. So
I adjusted my firewall settings, now its showing no open ports.



Here's the ports that were open.

==========================

GRC Port Authority Report created on UTC: 2004-04-19 at 17:58:29

Results from scan of ports: 0, 21-23, 25, 79, 80, 110, 113,
119, 135, 139, 143, 389, 443, 445,
1002, 1024-1030, 1720, 5000

11 Ports Open
15 Ports Closed
0 Ports Stealth
---------------------
26 Ports Tested

NO PORTS were found to be STEALTH.

Ports found to be OPEN were: 21, 25, 80, 113, 135, 139, 443,
445, 1025, 1026, 1027

Other than what is listed above, all ports are CLOSED.

TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Can't get rid of Trojan Horse 5
For MVP: Trojan-horse associated with C:\WINDOWS\system32\wdmaud.s 1
AVG 8.0 Resident Shield Alert 2
AVG shield 4
Virus? Trojan Horse Dropper.Agent.JOC 7
Windows XP System Restore 17
Trojan Horse Virus Problem 4
knlwrap.exe 6

Top