General discussion

  • Creator
    Topic
  • #2211697

    Trojan horse BackDoor.Generic_r.EV

    Locked

    by bodonnell11 ·

    Thought I’d post this and would appreciate any suggestions:

    Re this bug which appeared to hijack browsers yesterday. Viewed in Task Manager when desktop icon was clicked (but not when the tray icon was clicked) and particularly on firefox it ran a very very brief program called sysfade.(???)[didn’t get the extension] during which time the browser instead of appearing to load wasn’t visible and appeared not to have launched at all. After running a full scan using AVG, AVG apparently isolated it and moved it to the Virus Vault giving these details:

    “C:\WINDOWS\system32\IMPProcessor.sys”;”Trojan horse BackDoor.Generic_r.EV”;”Moved to Virus Vault”
    “C:\WINDOWS\Downloaded Installations\{18ADC5D2-2DE4-4A9C-9D39-8E14444C1233}\Intel Mobile Platform Runtime 1.3.msi:\Data1.cab:\_FDDF201A8E2C6ECF9B114821EFAF4BCE”;”Trojan horse BackDoor.Generic_r.EV”;”Moved to Virus Vault”
    “C:\WINDOWS\Downloaded Installations\{18ADC5D2-2DE4-4A9C-9D39-8E14444C1233}\Intel Mobile Platform Runtime 1.3.msi:\Data1.cab:\_7ED41E6B049905FA21E864DB3D58D06E”;”Trojan horse BackDoor.Generic_r.EV”;”Moved to Virus Vault”
    “C:\WINDOWS\Downloaded Installations\{18ADC5D2-2DE4-4A9C-9D39-8E14444C1233}\Intel Mobile Platform Runtime 1.3.msi:\Data1.cab”;”Trojan horse BackDoor.Generic_r.EV”;”Moved to Virus Vault”
    “C:\WINDOWS\Downloaded Installations\{18ADC5D2-2DE4-4A9C-9D39-8E14444C1233}\Intel Mobile Platform Runtime 1.3.msi”;”Trojan horse BackDoor.Generic_r.EV”;”Moved to Virus Vault”.

    AVG had not detected anything coming in in sessions prior to 1 June and the problem caused on 1 June occurred immediately after switching on computer and attempting to open internet explorer which opened then hung. (indicative of the bug coming in during a previous session and staying resident after system close down in a previous session)

    At the same time the internet network connection dropped out. (noted that after AVG was run with these results and the system closed down and rebooted the network connection was enabled again.)

    On closing down the system after the AVG scan (the browser applications were still hanging) the system told me one by one in reverse order to the order in which I had tried to run them that the 5 browsers were still running so each was in this order ended (this appears to indicate that the browser programs were running in some way but halted during launch).

    On reboot everything worked fine – as I recall I only visited about three websites: TR, sydney.gumtree.com.au and Wikipedia

    All very good and no problems were had.

    On startup today (visiting gumtree again) only using IE8 noticed the browser slowed and ran AVG again. The results were as follows:

    “C:\System Volume Information\_restore{FBE630FA-4265-4C18-9B38-DA497DC71CB3}\RP57\A0028502.sys”;”Trojan horse BackDoor.Generic_r.EV”;”Moved to Virus Vault”
    “C:\System Volume Information\_restore{FBE630FA-4265-4C18-9B38-DA497DC71CB3}\RP57\A0028501.msi:\Data1.cab:\_FDDF201A8E2C6ECF9B114821EFAF4BCE”;”Trojan horse BackDoor.Generic_r.EV”;”Moved to Virus Vault”
    “C:\System Volume Information\_restore{FBE630FA-4265-4C18-9B38-DA497DC71CB3}\RP57\A0028501.msi:\Data1.cab:\_7ED41E6B049905FA21E864DB3D58D06E”;”Trojan horse BackDoor.Generic_r.EV”;”Moved to Virus Vault”
    “C:\System Volume Information\_restore{FBE630FA-4265-4C18-9B38-DA497DC71CB3}\RP57\A0028501.msi:\Data1.cab”;”Trojan horse BackDoor.Generic_r.EV”;”Moved to Virus Vault”
    “C:\System Volume Information\_restore{FBE630FA-4265-4C18-9B38-DA497DC71CB3}\RP57\A0028501.msi”;”Trojan horse BackDoor.Generic_r.EV”;”Moved to Virus Vault”

    again exactly five instances of what appears to be the same bug which appeared to hijack browsers last evening.

    Regards,

All Comments

  • Author
    Replies
    • #3026198

      Sounds like

      by the ‘g-man.’ ·

      In reply to Trojan horse BackDoor.Generic_r.EV

      system restore copied the virus. Suggest you clear that as well.

      http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.aspx

    • #3028269

      All Clean

      by bodonnell11 ·

      In reply to Trojan horse BackDoor.Generic_r.EV

      Have run a full scan twice since my last post. Have also run Malwarebytes and Spybot S&D – All clean is the result from all of these.

      • #3028267

        Oh Smeg, I hear, has had similar trouble

        by bodonnell11 ·

        In reply to All Clean

        Yes, his trouble started on 1 June also – haven’t heard from him since.

        • #3028266

          Oh Smeg

          by santeewelding ·

          In reply to Oh Smeg, I hear, has had similar trouble

          They would dare?

          No way.

        • #3028265

          Apparently so!

          by bodonnell11 ·

          In reply to Oh Smeg

          Last email I had from him was that he was battling the same kind of demon. Hasn’t answered the phone since.

        • #3028264

          Say it ain’t so

          by santeewelding ·

          In reply to Apparently so!

          What, then, awaits the rest of us?

        • #3028263

          Oh – wouldn’t they

          by bodonnell11 ·

          In reply to Oh Smeg

          Be careful – you don’t know that you’re not next – Have known Oh Smeg now since 1993 so – if he’s got a problem – it’s a problem!

        • #3028262

          Oh, shilt.

          by santeewelding ·

          In reply to Oh – wouldn’t they

          .

        • #3028248

          Well Smeggy only had a problem

          by hal 9000 ·

          In reply to Oh Smeg, I hear, has had similar trouble

          Because of a client who insisted on opening a Phony E-Mail.

          Some people are just click happy and do not look.

          Anyway hopefully now it’s all finished I only went over there on Wednesday to return the computer, then again on Thursday to reset something to the way that the user wanted it and finally 2 times last Friday to play with the Spam Filter and get it back to the way that it was set before she infected the computer.

          Hopefully it’s all finished now and I will not be getting a phone call First Thing Monday. I’ve been trying to kill myself by attempting to catch up with my real work ever since I landed this job. :_|

          The way things are going here I’ll be glad when 1272 finally comes to a end. Things just have to get better latter on when we get around 1998. I hope. 😉

          Col

Viewing 1 reply thread