Backdoor Trojan Challenge

Discussion in 'Malware Help (A Specialist Will Reply)' started by Boff, Nov 20, 2008.

  1. Boff

    Boff Private E-2

    Hi there

    Got a nice little backdoor trojan on my desktop and laptop. It sends emails from my Outlook account every few days. I suspect it was from my daughter who sent me a mail from Bebo...and used my laptop. Problem started about a week ago.

    Email contents are:-
    welcome to order,
    We got the news that you are looking for electronic products, We would like to take the opportunity to introduce our company and products ,hoping that we can serve you in the future.
    As a wholesaler &retailer ,we offer the following items: laptops, TVs, phones,cameras, GPS, Motorcycles and etc with competitive price and best quality.
    Hope we can establish business relationship from now on .here is our website:


    No other problems noted.

    On my Desktop I have Vista Home Basic, with Zone alarm firewall, AntiVir virus checker, A squared for malware.
    On my laptop I have Vista Home Premium with Zone alarm, McaFee security for malware and virus.

    Before running the cleaning process no viruses were picked up in any of the daily checks; also I ran seperately Kaspersky and Trend Micro online scanners - nothing, all report clean machine.

    Logs are attached as per Vista Cleaning Procedure

    Any ideas?

    Martin
     

    Attached Files:

    Last edited by a moderator: Nov 21, 2008
    Boff, Nov 20, 2008
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I am removing the links you gave as they may lead to someone clicking and becoming infected.

    In the meantime, we also need the log from running MGTools.exe ---> C:\MGLogs.zip
     
    TimW, Nov 21, 2008
    #2
  3. Boff

    Boff Private E-2

    MG Tools enc
     

    Attached Files:

    Last edited: Nov 22, 2008
    Boff, Nov 22, 2008
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I am not seeing any malware.....if you suspect a problem with an email, you need to delete those emails.

    You can run an online scan form Bitdefender if you like: go to Bitscan link: agree to the license and then select Scan. DO NOT CHANGE THE OPTIONS TO SHOW ALL FILES SCANNED. That will make your logs huge and we don't need to see clean files. Once Bitdefender completes the scan:

    Click-on the Detected Problems tab. Then select Click here to export the scan report

    When the window comes up to save the report, change the Save as type: box to Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click save. This will save a file named bdscan.txt in whatever folder you are currently in when you save the file (take notice of where you are at so you can find it later). This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.
     
    TimW, Nov 22, 2008
    #4
  5. Boff

    Boff Private E-2

    I tried Bitscan online -it wouldn't run (said virus definitons couldn't be updated, I tried in IE and Firefox and ran as Administrator). So I downloaded the full Bitscan program - and it gave a report 'No threats were found'

    I had tried Kaspersky and Trend before this.

    The bug I thought was in Outlook but it still sends email even though I havn't run Outlook, I see the mails in Hotmail...thousends of them

    Martin
     
    Boff, Nov 23, 2008
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Are you downloading your hotmail messages into Outlook? What have you done to clean out those accounts? Did you use a different computer and change your passwords? Have you removed all emails that hold attachments?

    Please try running Kaspersky Cleaner.
     
    TimW, Nov 24, 2008
    #6
  7. Boff

    Boff Private E-2

    1. I did use Outlook to download mail messages, but stopped once problem identified - mailings continue and they go every 3rd day
    2. I have already reset password in hotmail (and other passwords, not that I have many online services) on a seperate pc
    3. Any mail in hotmail with an attachment has been deleted and cleaned right out
    4 Ran Kaspersky Tool - nothing in log(also Bit Defender, Trend Micro and Mcafee -all run seperatly, no reports of problems)
    5. It has infected both my laptop and desktop
    6. I tried using Wireshark to monitor activity but its too complex for me...a simple tool might help see the source of activity but don't know of any

    I now use Comodo firewall and antivirus with A squared/spybot scans for malware. None report anything in scans.

    Martin
     
    Boff, Nov 26, 2008
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I tend to doubt that any scanners are going to find anything. You may have installed a program that is hooking itself into Outlook some how.

    Did you install StopZilla after this problem began? Is it paid version or a trial version. If just a trial, uninstall it now.

    The below were recently installed. Were they installed before or after the problem began:
    I notice the 2nd is related to Outlook?? I assume the below two recent DLL files are related to the above programs:
    Code:
    2008-11-13 13:44 . 2006-04-17 11:56 1,207,808 c:\windows\System32\PhoenixDll.dll
2008-11-13 13:44 . 2004-10-16 21:46 178,176 c:\windows\System32\StellarProfile.dll
    What are the below files on your Desktop from?
    Code:
    "C:\Users\Martin\Desktop\"
mail.gif      13 Nov 2008       90700  "mail.gif"
mail.psd      13 Nov 2008      463046  "mail.psd"
pst-re~1.exe  13 Nov 2008     2705766  "pst-repair-t.exe"
    Do you know what the below is for? It's a bad idea to install programs like this and like you did with SUPERAntiSpyware. You should install things into their default folder names.
    Have you tried using System Restore to go back to a point in time before the infection? If not, it may be worth a try. Note anything installed after the date you restore to will no longer be installed (like Comodo).

    Note you only posted your last logs from SUPERAntiSpyware and Malwarebytes but you have other scans you ran with them that found problems. Please attach the below logs
    Code:
    "C:\Users\Martin\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\Logs\"
supera~1.log  17 Nov 2008  7460  "SUPERAntiSpyware Scan Log - 11-17-2008 - 12-58-21.log"
supera~2.log  19 Nov 2008  2806  "SUPERAntiSpyware Scan Log - 11-19-2008 - 10-40-45.log"
 
"C:\Users\Martin\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Logs\"
mbam-l~1.txt  17 Nov 2008  1724  "mbam-log-2008-11-17 (15-48-50).txt"
     
    chaslang, Nov 27, 2008
    #8
  9. Boff

    Boff Private E-2

    Hi there

    Took the nuclear option and just reinstalled everything on fresh partitions. For a short while my pc worked like a dream, fast and responsive, it was like running through fresh snow. Then I loaded Comodo firewall and anti-virus - and back to slow response...<<sighs>>

    Thanks for the help - I think it was quite nasty backdoor trojan, hope others dont get it!
     
    Boff, Dec 2, 2008
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Dec 4, 2008
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds