Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Community Blog

Backdoor Trojan Removal

Created: 26 May 2009 • 3 comments
Rishi Bhaskar's picture
0 0 Votes
Login to vote

The following activities were performed:-
1.I observed that backdoor.trojan was infecting the files win.exe and dod.exe and Symantec was protecting them in this time of protection Symantec gave a popup of autoprotect . Also observed that this virus was causing the volume drives not to be opened by double clicking instead by rightclick >explore.
2.Now I tried to folder options and tried to unhide but folder options was not working so now by command prompt run >c:autorun.inf to check for exe file so it came as e:winfile.jpg
3.Now in run >cmd>I typed attrib -r –s –h autorun.inf to unhide it and attrib -r –s –h winfile.jpg .The file would appear and disappear so to solve this follow steps below.
a)DOWNLOAD LATEST RAPID RELEASE and deploy it on the client pc or if rapid release does not deploy download .xdb file and rename it from .zip to .xdb and paste it at c:documnetsandsettings/all users/ .Then turn off system restore and scan. After scanning then restart in normal mode , then check in
run>cmd>c:attrib –r – s –h winfile.jpg
c:attrib –r – s –h autorun.inf
c:del autorun.inf
Now try accessing the volume drives it will give error c:script not found winfile.jpg
Then in other volumes check the same as above mentioned steps .To ensure winfile.jpg and autorun.inf do not exist .Also ensure winscript.exe is not running in taskbar Then again restart the PC .

Comments 3 CommentsJump to latest comment

ester's picture

I can't do the 3. step: "Access denied - C:\autorun.inf".
What's wrong?

0
Login to vote
Luca Bertolani's picture

Hi all,

in case of an access denied on a file and you can't see the file from normal Windows Explorer,  you should be able to change file permissions from a command-prompt (CMD.EXE).

As example, the command:

C:\>cacls autorun.inf /E /G administrators:F

will add the "Administrators" group to the file "autorun.inf" with full rights.

More info on "CACLS" in Microsoft KBs:

http://support.microsoft.com/?scid=kb%3Ben-us%3B16...
http://support.microsoft.com/?scid=kb%3Ben-us%3B13...

Having the administrator group with full-rights will let the "attrib" command to work correctly on the file.

--Luca

0
Login to vote
sbertram's picture

Hi did you run any free online scanners.  One you can run is from Trend Micro called House call, link is below.  See if that cleans up the mess.
Good luck.
http://housecall.trendmicro.com/

0
Login to vote