Generic Backdoor.t can't seem to get rid of it....

Hi,

We have 5 or 6 computers on our network that our mcafee av is catching a virus called Generic Backdoor.t, but the file that it's catching won't let us delete it.  It only seems to be one file, but it's a different named file on each affected computer.  You tell Mcafee to clean it and it says it can't.  You tell it to delete it and it says it can't.  But then you search for the file and sometimes it's there and sometimes it's not.  If you scan the computer for viruses, it finds nothing.  I scanned with http://housecall.antivirus.com and with F-secure, and with our Mcafee.  None of them found viruses.  Yet, you logoff and log back into windows and Mcafee will again display the little hand squishing the bug and say it found the virus again in the same file.

How do I get rid of this?  How can you stop something that doesn't get found when scanning the system with your AV?

Any ideas?

Thanks.

Mark
LVL 13
mark-waAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
sunray_2003Connect With a Mentor Commented:
using msconfig , have you disabled all startup applications and services and does it behave the same way
0
 
sunray_2003Commented:
Hello Mark,

Have you been able to log into safe mode on those computers and then tried to remove that file ?

SR..
0
 
mark-waAuthor Commented:
Hi Sunray,

Good to hear from you.  Haven't seen your posts around as much lately.  I have logged into windows safemode, but when I do that and look for the file, it's not there.  So there's got to be something in Startup that is putting the file there, but I haven't been able to find it.

I've looked in the Run keys in the registry, the startup folder itself, the win.ini and system.ini files, I've used msconfig.  I just can't figure out where it's coming from.

Any more thoughts?

Mark
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
sunray_2003Commented:
mark-wa,

yeah too busy with the real job.. hence could not participate much.

Do you know the file name that the Anti-virus is catching ?

have you tried to delete temp internet files , cookies , temp windows files ?
0
 
sunray_2003Commented:
Mark,

did you run mcafee in safe mode and was it able to remove that file instead of you removing it manually ?
0
 
mark-waAuthor Commented:
I did try scanning in safemode and it didn't find anything.  That's the wierd part.  Then you log back in normal mode and it catches the virus again.  Maybe it's catching the initial attempt at infection.  But I need to figure out how to stop it from even getting that far.  Here are some of the file names that it is catching on the different computers:

niccer.dll
ntfat.dll
cryptcom.dll
keylock.dll

Thanks Sunray.

Mark
0
 
sunray_2003Commented:
Mark,

Is your mcafee fully updated with the latest DATs ?

Have you told mcafee to put the affected file in a quarantine folder if it cannot clean the file or delete the file ?
0
 
mark-waAuthor Commented:
mcafee is fully updated with the latest DATs and it is supposed to quarantine, but it can't.  For some reason, it can't clean, delete, or move the infected file.  This just doesn't make sense and there isn't anything on the internet about this virus that is helpful.  Thanks Sunray.

Mark
0
 
sunray_2003Commented:
Mark,

>>   If you scan the computer for viruses, it finds nothing.

When exactly does it find the virus then.. Are you saying mcafee finds the virus sometimes but not the other times ?
0
 
mark-waAuthor Commented:
When you first login to a computer, mcafee does a virus scan at startup, then doesn't normally do one again until later (at a scheduled time).  So it picks up that infected file at startup.  Then, the file will either disappear or it will stay on the system, but other virus scanners don't pick it up.  If you scan again with mcafee, it's only finding the one infected file, or sometimes, if that file has disappeared, it doesn't find anything.  But there must be something that is trying to install that file at startup, but I can't find anything.  I know this doesn't make sense, but this is the way it's acting.

Pretty frustrating.

Thanks Sunray.

Mark
0
 
mark-waAuthor Commented:
I didn't disable all.  I was going to but I had other things that needed to get done.  I will try that though.  Thanks.

Mark
0
 
rossfingalCommented:
SR

Tell them to shut off "System Restore" - or, at least, do that and set a "Restore" point -
so they have something to go back to.

RF
0
 
governor_arnoldCommented:
I would try to run the hard drive in a different non-infected computer as a slave and then i would run a scan on the infected drive. before you do that though make sure that you turned off system restore on the infected HD.
0
 
mark-waAuthor Commented:
Hi,

Thanks for the input, but I forgot to mention that this is Windows 2000, not Xp, so there is no System Restore.  Thanks.

Mark
0
 
sunray_2003Commented:
For some reason I thought in one of your previous questions you had mentioned abt working with windows 2000 so I thought these are the same comps hence system restore didnot strike to me atall.. Anyway , good you had confirmed that these are infact windows 2000.

Did you try to disable all services and all startups ?
0
 
briancassinConnect With a Mentor Commented:
Have you tried running Hijack this on the infected computers ??? this will list all startup entries. What is sounds like to me is possibly memwatch trojan... it recreates itself over and over again.... you need to check the running processes for anything out of the ordinary. I would run a hijack this scan you can get it here http://tomcoyote.org/hjt 

in addition I would highly recommend running two other utilities

http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm

run the full scan and make sure it is selected to use heurisitcs its got an excellent heuristics scanner from experience this found more viruses then housecall or norton. Housecall is very good but sometimes it misses a few files unfortunately these days their is no one AV cure all solution.



next I would get the 30 day trial version of spysweeper

http://www.webroot.com   it will get rid of trojans, spyware,malware,hijackers, etc...
I have found this to be very effective at nuking things.

Post your logfile up here.

It may not necessarily be a full out virus but a SPYWARE/MALWARE TROJAN..  

Try to keep from Mcaffee nuking the file make it so it just identifies it if you can then go to the directory where the file is and get the properties on it try to get a created date write it down then try going to a command prompt and going to the c:\winnt\system and c:\winnt\system32 folders and try doing an ATTRIB - H on the directory see what comes back saying not resetting attribute and write them down... these are most likely the infected files that need to be removed. use the find files or folders in windows and go to the advanced tab and look for the dates that were identified on the file attributes also look for 0 size KB files... see if you have a bunch of them I ran into a system that had 15,000 random 0KB size files that were created by a trojan that I believed to be memwatch.

let me know get back
0
 
r-kConnect With a Mentor Commented:
Here is one thing that can be very effective in cases like yours:

Let's say there is a file named yyyy.xxx which is believed to be a virus or other bot, and you can't delete it because it is always "in use".

What you can do is to right-click on the file, and change permissions so that no one, not even administrator or system, has any access to that file.

Then reboot, and you should be able to change permissions again on the file and delete it.

The ultimate success of this plan depends on identifying all infected files, and doing this to all of them. Some malware will run in tandem, and if you don't delete them all, one side will re-create the other.

Good luck.
0
 
briancassinCommented:
r-k

"The ultimate success of this plan depends on identifying all infected files, and doing this to all of them. Some malware will run in tandem, and if you don't delete them all, one side will re-create the other".

exactly just like memwatch does
0
 
r-kCommented:
"exactly just like memwatch does"

Yes, you're very right. I had not heard of that one before, so thanks for the pointer. Ran into a couple of similar ones in the past, whose names I don't know. In one case was actually able to kill both by doing it fast enough, but usually they will recreate within less than a second.
0
 
briancassinCommented:
that is what memwatch does it will run two random process in the background in the process list when you kill one of the processes the other one will regenerate a new process within 1 - 15 seconds of another random 7 character named .exe file depending on if the processor is at 99% utilization because of memwatch.

example: you will see   x8ywnye.exe  and wrt3s78.exe running in the processes you end x8ywnye.exe and wrt3s78.exe creates a new one called 9f4dzz3.exe   and it goes on and on until you kill both and remove it from the registry and remove all of its spawn. its a real pain and no av or anti spyware can fully get rid of it because of this feature it has.
0
 
r-kCommented:
<quote>
example: you will see   x8ywnye.exe  and wrt3s78.exe running in the processes you end x8ywnye.exe and wrt3s78.exe creates a new one called 9f4dzz3.exe   and it goes on and on until you kill both and remove it from the registry and remove all of its spawn. its a real pain and no av or anti spyware can fully get rid of it because of this feature it has.
</quote>

Real pain is right. It is in these cases that the ability to deny permissions on the file(s) works best. A good way to identify suspect files is to use Explorer to sort the files in c:\windows and c:\windows\system32 by date, then look at the most recent ones. Usually the bot would have generated random names (many don't even end in .exe), but by examining the files sizes and dates you can get a feel for it, and deny all permissions, then reboot. The bad stuff can't launch then because it doesn't have permission to access its own files, and you have a chance to clean things up.

Obviously this is not recommended for novice users.
0
All Courses

From novice to tech pro — start learning today.