Re: Backdoor.berbew.p now totally paranoid
From: David H. Lipman (DLipman~nospam~_at_Verizon.Net)
Date: 01/27/05
- Next message: giggiiii: "new bug of IE6?"
- Previous message: Alex Potter: "Backdoor.berbew.p now totally paranoid"
- In reply to: Alex Potter: "Backdoor.berbew.p now totally paranoid"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 27 Jan 2005 15:21:39 -0500
Alex:
Start by obtaining TCPVIEW.EXE from SysInternals -- http://www.sysinternals.com/
It will show you what file is opening what port and is communicating to what site. It is
like NETSTAT except it is a GUI dynamic utility and can show the executable that is opening
the port.
Also... Pocess Explorer and TDIMon are valuable utilities.
With these tools you may be able to track down any Trojans still on your PC.
You did not reply to my query on this so PLEASE perform the following...
1) Download the following three items...
McAfee Stinger
http://vil.nai.com/vil/stinger/
Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp
Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp
Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")
Download SYSCLEAN.COM and place it in that directory.
Download the signature files (pattern files) by obtaining the ZIP file.
For example; lpt375.zip
Extract the contents of the ZIP file and place the contents in the same directory as
SYSCLEAN.COM.
2) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
3) Reboot your PC into Safe Mode and shutdown as many applications as possible
4) Using both the Trend Sysclean utility and Stinger, perform a Full Scan of your
platform and clean/delete any infectors found
5) Restart your PC and perform a "final" Full Scan of your platform using both.
6) If you are using WinME or WinXP, Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
7) Reboot your PC.
8) If you are using WinME or WinXP, create a new Restore point
* * * Please report back your results * * *
-- Dave http://www.claymania.com/removal-trojan-adware.html "Alex Potter" <apotter@videotron.ca> wrote in message news:u$7AuuKBFHA.3820@TK2MSFTNGP11.phx.gbl... | Hi there, | | I had a post going on w2k general but David Lipman(Thank you David) pointed | me to this news group. | I recently(yesterday) recovered from a Backdoor.Berber.P attack which has | left me completely paranoid...So | I did a search of my system of files that have been modified within the last | month & have been slowly(1082 files) | checking to see if the modification makes sense!!! | I just came across a dll file(wszt3t2.dll) that was created on the 24th, | modified yesterday, and access today. | (today access could have been me) | So I opened it up in ultraedit and to my surprise it contains a text list of | urls with usernames etc - a small list follows: | | <pop.videotron.ca> pop.videotron.ca relais.videotron.ca Alex | Potter<username> () vldghgoc:temp01 | [http://lc3.law13.hotmail.passport.com/cgi-bin/login] | username:,username:,username: | [http://localhost/dir/] username: | [https://www.leevalley.com/home/shopLogin.asp] username:password | | | Now I'm kindof nervous | | Any thoughts??? | | | TIA | | | Alex Potter | |
- Next message: giggiiii: "new bug of IE6?"
- Previous message: Alex Potter: "Backdoor.berbew.p now totally paranoid"
- In reply to: Alex Potter: "Backdoor.berbew.p now totally paranoid"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
