Ok , ive been backdoored by someone... i think its because of some file i download recently without checking it... because i was too lazy to check it...
this morning i notice that my anti-vir aint working and same as my avg anti-spyware , and i searched them at program files and their folders is missing... so i begin to think ive been backdoored by someone... Good thing my zone alarm and winpatrol is still running , cuz i believe zone alarm cant be killed via process. tonight winpatrol notify me that File.exe is trying to add as my start up stuff... so i clicked no and begin to do some investigate , i saw
expIorer.exe running at my process and end task it. i begin to scan expIorer.exe and File.exe to virustotal which gave me a result of backdoor. i believe the other one is ProRat and the other one is crypted backdoor.
so i did some sandbox scan and gave me this out going connection
DNS Lookup
Host Name IP Address
ASANDBOXEN captcha155
gunner54.bounceme.net 82.153.194.246
Outgoing connection to remote server: gunner54.bounceme.net TCP port 5250
ProRat connect to captcha155 and to the client.
I have no idea how many backdoor he installed into my pc.
Right now im waiting for my reply Hijackthis logs @ SWI Forum.
meanwhile i tried to visit
gunner54.bounceme.net
and its like website which contain files and stuff!!!
Can you guys please kindly check it?
ProRat can do format so im a lil bit aware. i think imma search for ProRat registry stuff.
and yes i already deleted those stuff. But still i took some sample and rar it. so if you want to check it yourself then its here
http://rapidshare.com/files/53109937/backttack.rar.html
Rar password suck-o
and oh yeah , i also blocked a servicess.exe running at mah process.
Sorry about my extremely terrible english lol xD
Urgent help , been backdoored >.<
-
Losing_grip
- Fame ! Where are the chicks?!
- Posts: 485
- Joined: 22 Apr 2007, 16:00
- 17
- Location: Behind Socks5
well...the gunner54.bounceme.net has a c99 shell on it =P in PHP format...which means that anyone has access to his files, as in deleting them as well
If i were you i would unplug the internet cable from the computer and download stuff from another one and transfer it, just to make sure that he doesn't use the comp.
Download like, kaspersky, ad aware, spybot, process explorer (from the DL section) and stuff like that, check for rootkits as well.
Also check your windows and system32 folders for "weird" files, check the newest added in the folders, they will most likely have random names.
Tip is to use batch files to remove files that are used by programs already.
If i were you i would unplug the internet cable from the computer and download stuff from another one and transfer it, just to make sure that he doesn't use the comp.
Download like, kaspersky, ad aware, spybot, process explorer (from the DL section) and stuff like that, check for rootkits as well.
Also check your windows and system32 folders for "weird" files, check the newest added in the folders, they will most likely have random names.
Tip is to use batch files to remove files that are used by programs already.
"The best place to hide a tree, is in a forest"
ok,disable your internet,get registry monitor
http://www.microsoft.com/technet/sysint ... egmon.mspx
ok open the file in regmon and find the keys it adds,
got start,run and type msconfig then go through your processes and startup and boot ini etc,tip:dont hide all microsoft services,for trojans are getting advanced,they could easily spoof the maker etc
if this doesnt help please say and ill do some further resaerch into prorat
http://www.microsoft.com/technet/sysint ... egmon.mspx
ok open the file in regmon and find the keys it adds,
got start,run and type msconfig then go through your processes and startup and boot ini etc,tip:dont hide all microsoft services,for trojans are getting advanced,they could easily spoof the maker etc
if this doesnt help please say and ill do some further resaerch into prorat
-
hpprinter100
- Fame ! Where are the chicks?!
- Posts: 214
- Joined: 19 Oct 2007, 16:00
- 16
- Contact:
-
Losing_grip
- Fame ! Where are the chicks?!
- Posts: 485
- Joined: 22 Apr 2007, 16:00
- 17
- Location: Behind Socks5
hpprinter100 wrote:disconnect, buy a postable hard drive, back your word documents up, format. re-install windows and dont go to dogy warez sites or use limewire
Please check the date first before replying into a certain topic.
I already solved this problem without reformatting. However thank you for the common tips (Reformat).
-
ebrizzlez
- Kage
- Posts: 732
- Joined: 31 Mar 2007, 16:00
- 17
- Location: Hidden in a Buffer Protection.
- Contact:
Next time I highly recommend using Nod32, it's the best Anti-Virus program out there. (Has been top rated and one of my own personal favorite.) It's real time scanner caught half the trojans and viruses I downloaded directly in the folders as soon as I opened up the folder! It's incrediably fast, and durable.
The only problem is... Nod32 cost a bit, buttttt... I am sure you could find a "free" trial you could use for... Just borrow the program and see if its worthy enough to buy, thats all. ^^
PM me for details.
And if your new to Suck-O then remember:
The only problem is... Nod32 cost a bit, buttttt... I am sure you could find a "free" trial you could use for... Just borrow the program and see if its worthy enough to buy, thats all. ^^
PM me for details.
And if your new to Suck-O then remember:
Code: Select all
Winners Don't Do Warez[img]http://i81.photobucket.com/albums/j205/ebrizzlez/4lsint1.jpg[/img]
-
floodhound2
- ∑lectronic counselor
- Posts: 2117
- Joined: 03 Sep 2006, 16:00
- 17
- Location: 127.0.0.1
- Contact: