| Author |
Message |
    
E
Citizen
Username: Scubadiver
Post Number: 31
Registered: 8-2004
| | Posted on Tuesday, December 28, 2004 - 2:44 pm: |     |
For some strange reason I keep getting a "Backdoor-BDD" trojan on my computer. I have McAfee running on my computer and I keep getting the red warning box saying that the infected file was deleted. But every time I click the "continue what I was doing button" it pops up again. Additionally, my Internet home page changes to some spam search engine. I keep changing the page back to "my.yahoo." but it keeps changing it back.
If anyone has a solution to this, please let me know.
Thanks a million! |
Tom Reingold
Supporter
Username: Noglider
Post Number: 4945
Registered: 1-2003
| | Posted on Tuesday, December 28, 2004 - 2:50 pm: | |
Close all programs you can. Tell McAfee to do a complete scan of your entire computer. Do it with the network or modem cable physically disconnected from the computer. Walk away for an hour or three. |
Soda
Citizen
Username: Soda
Post Number: 2235
Registered: 5-2001
| | Posted on Tuesday, December 28, 2004 - 3:26 pm: | |
And remember: Better a Backdoor-BDD Trojan than a backdoor STD because of a broken Trojan... |
Brett
Citizen
Username: Bmalibashksa
Post Number: 1381
Registered: 7-2003
| | Posted on Tuesday, December 28, 2004 - 3:29 pm: | |
That guy is a nasty little bugger.
First of all you got it from downloading something, or opening a mail attachment. This didn’t get on the machine but itself. Also it’s going to constantly try to download files from a website, and has opened port 1024 for file transfer.
Fix 1, Use the System Restore Utility to get back to a date that you didn’t have this on you machine. If you cant do that,
Fix 2, Go online and update the McAfee software (later the June 15, that when this trogon was found). Next you’ll need to turn off the System Restore Utility so the files don’t get backed up. Start your machine in “Safe Mode w/o networking”. Then as Tom said disconnect from the internet, and scan. To run the scan faster do it from the command line:
Start>> Run >> cmd
1. Type CD\
2. Press the Enter key
3. At the C:\ prompt, type CD SCAN
4. Press the Enter key.
5. At the C:\SCAN prompt, type SCAN /ADL /CLEAN /ALL /REPORT REPORT.TXT
6. Press the Enter key.
7. Once the scan finishes, exit DOS and restart the computer.
The search engine is not part of the trogon, the quickest software to get rid of that is HijackThis. It’s on line and free.
|
monster
Citizen
Username: Monster
Post Number: 464
Registered: 7-2002
| | Posted on Tuesday, December 28, 2004 - 7:10 pm: | |
What Brett said,
McAfee page on it, http://vil.nai.com/vil/content/v_126448.htm
I might also suggest using a different AV, or more than one even,
such as a²: http://www.emsisoft.com/en/software/download/?
or AVG from Grisoft, try the free version: http://free.grisoft.com/freeweb.php/doc/2/
also suggest using Ad-Aware, http://www.lavasoft.com/support/download/
and Spybot Search & Destroy, http://www.safer-networking.org/en/download/index.html
If you don't have a firewall I like to recommend Sygate, try there free personal edition, http://smb.sygate.com/download_buy.htm
Also suggest using a router between your computer and the internet. |
Dave
Moderator
Username: Dave
Post Number: 4821
Registered: 4-1998
| | Posted on Tuesday, December 28, 2004 - 9:26 pm: | |
This may be helpful
http://scribbling.net/how-to-fix-moms-computer |
wnb
Citizen
Username: Wnb
Post Number: 209
Registered: 8-2001
| | Posted on Tuesday, December 28, 2004 - 10:42 pm: | |
I visited my sister over the holidays and she had managed to pick up some nasties which actually appeared to be messing with Spybot S&D to avoid detection. It was rather sneaky -- Spybot would run but the full count of items it was searching for was greatly diminished -- about 13000 as opposed to 21000 which were included in my installation. Also, I noted that all of the mirror sites for obtaining updates were wiped out. As a result the update message merely said "no updates are currently available" but in reality no update site was being connected to.
One of the main culprits seemed to be a bugger called "ShopAtHome" which had placed "soh.exe" files in randomly-named directories on the C drive. I eliminated about 30 of these. A persistent process running was called "bundle.exe." There were a few others as well.
Behavior when surfing was similar to what you are experiencing, especially when trying to connect to "my.ebay.com" and other "my" type sites. Her iTunes was also messed with. In addition, she had attempted to install both Firefox and Netscape. Both of these alternative browsers were disabled by something so that no connection could get through on them. A "Connection was denied" message was displayed every time either of these would try to load a page.
I was able, after much finagling, to eliminate all spyware from her machine. At least all known spyware as currently detected by Spybot S&D and Ad-Aware. However, the behavior was not corrected outright. I advised her that she would probably need to at least reinstall IE, iTunes, an alternative browser, and other related applications at current release levels. She may likely choose to do a complete OS-level rebuild of the machine still.
This stuff is getting more and more sophisticated and more difficult to eradicate. And, unfortunately, some of the undesired side-effects don't seem to go away simply by removing the spyware itself.
The key message I'm trying to get across here is look very carefully at what's going on. You may need to go through your process list and look up each process on the internet to see if it is valid or not. You may need to launch Windows in "Safe Mode" and even then manually kill some processes. You may need to install Spybot S&D on another clean machine and then copy its directory manually over to the affected machine to ensure its integrity (one of the tricks I had to pull on my sister's machine). At some point, all this effort becomes ridiculous in the face of simply dropping a nuke on the thing and starting from scratch. Only you can decide what that point is, but you should recognize it when you see it. I literally spent an entire day working on her machine and while I had success in eradicating all the spyware, she was still not restored to a point of usability.
|
Tom Reingold
Supporter
Username: Noglider
Post Number: 4954
Registered: 1-2003
| | Posted on Tuesday, December 28, 2004 - 11:47 pm: | |
Remember the days before we had hard disks? Maybe we're headed back that way. We can boot off a write-only CD with the OS. We can stick in memory sticks or writable CD's or hook up USB hard disks when and only when we want to write files, consciously. This way, malware won't mess with our systems.
There is a version of Linux called Knoppix which fits handily on a CD.
Also, we had network-boot devices that booted off a file server in the workplace. I really liked that model. |
E
Citizen
Username: Scubadiver
Post Number: 32
Registered: 8-2004
| | Posted on Wednesday, December 29, 2004 - 3:35 pm: | |
Thank you all for your help. I ran spybot and ad-aware and got rid of some stuff. My McAfee was still going nuts repeatedly deleting the "Backdoor BDD" trojan and my Internet Explorer browser kept getting changed back to "about:blank". I finally switched to Mozilla Firefox and that seems to have done the trick.
Once again, I really appreciate everyone taking the time to help me out! |
Tom Reingold
Supporter
Username: Noglider
Post Number: 4963
Registered: 1-2003
| | Posted on Wednesday, December 29, 2004 - 4:10 pm: | |
It's good that firefox has made things livable again for now, but it doesn't sound as if you have eradicated everything. Someone or something will invoke IE again, and that will invite further damage. I suggest you persevere with McAfee or another virus scanner. Or maybe it's time to back up your stuff and reload the OS.
Last time I had this problem, I bought a new hard disk and loaded the OS onto it. I occasionally retrieve stuff from the old disk, but as time goes on, I find I do it less often. |
|
Closed: New threads not accepted on this page