Well it happened, today as i powered on i got my first ever virus in 15 years of owning PC's I logged on and NOD immediately detected it, sait it couldnt clean it so i deleteted it. I performed a scan after and it came up as showing two other files infected! Now i was very interested as to who i got this Trojan, as im very security concious and pretty savvy about it. A search on goole brough ZERO matches. Can anyone advise? Here is the log from nod32. C:\WINDOWS\system32\Lhefig32.dll - Win32/Padodor.V trojan C:\WINDOWS\system32\Clkhec32.dll - Win32/Padodor.V trojan C:\WINDOWS\System32\Jjeieege.dll - Win32/Padodor.V trojan
PLease note in each case i had to delete and also Quarantined the virus as NOD32 could not clean it. I have NOD totally up to date, i run Sygate Personal Pro Firewall which i upgraded to the new build yesterday, i have not downloaded anything which may have contained this virus, im VERY careful over what i do online. The fact i cant find any info on it makes me wonder if i deleted legitimate windows files in a false alarm, hence me quarentineing them. Sygate shows no logs of being attacked, and no apps but a dozen i use regulary have inbound or outbound access. Finally my tast manager has no suspicious processes, and i even checked before i deletedthe files. *baffled*
If NOD32 says that a particular infected file cannot be cleaned, it means that it most probably consists only of a virus itself and therefore should be deleted. This is the case of trojans and most worms propagating via email. If you are not sure whether it is safe to delete an infected file, you can always quarantine it (tick the Quarantine check-box and select Delete)
Thanks, got rid of the 3 i found, and after a few reboots i show as clean. Just wondered if anyone knew about this one, im pretty safe about emails. Unless my Fiance did something whilst i was at work. Oh well, files deleted anyways, ill just keep an eye out for a bit.
If you go to Virus Bulletin, you can enter that name (Padodor.V) into Vgrep and it will tell you what other antivirus companies call that virus ... since they don't all use the same name. http://www.virusbtn.com/resources/vgrep/index.xml I tried that though, and despite the fact it found it, I couldn't get info by clicking through other vendor's links for that virus. Oh well.
I can't see how this Trojan comes in specifically, however, I would change your passwords, especially if you use Internet Banking and store the password with Internet Explorer, see the following : http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_BERBEW.F Aliases: BackDoor-AXJ, BackDoor-AXJ.dll, Backdoor.Padodor.gen Pattern file needed: 1.944.28 Scan engine needed: 6.810 Overall risk rating: Very Low Description: This backdoor is capable of stealing cached passwords in Internet Explorer, and posts the gathered data onto a list of Web sites. Also, it stays memory-resident and opens a random port where it listens for commands from malicious users, leaving the system compromised. This backdoor drops several files, including a .DLL component (detected by Trend Micro as BKDR_BERBEWDLL.F) that is injected into EXPLORER.EXE to prevent users from viewing the running backdoor process in Task Manager. It modifies the Windows registry so that its dropped files are loaded whenever Windows starts up. Hope this helps… Cheers
Weird, i dont use internet explorer at all. I open it maybe once a month to check windows updates. I use Opera for my internet banking, but then again i work in the IT dept of the Halifax bank here in the UK, so i can just ask one of the cute girls on the phones to check my accounts Oh well it seems to be clean now anyways. Thanks
Just to add some more information. Whatever server you or somebody visited was infected with Download.Ject. The infected server downloads a trojan to your system. This Trojan horse is named Backdoor:W32/Berbew, also known as Backdoor-AXJ, Webber, or Padodor. Read this Microsoft security update here. http://www.microsoft.com/security/incident/download_ject.mspx
It cant be, i havent Opened IE up in nearly a month since i installed SP2. And then the single site i went to was Windows update. Opera is not vulnerable to Download.ject All i can think is i can across a file that included it.
