Please help me with Backdoor.Beasty.Family

Discussion in 'malware problems & news' started by Dan1975, Feb 9, 2005.

Thread Status:
Not open for further replies.
  1. Dan1975

    Dan1975 Registered Member

    Joined:
    Feb 9, 2005
    Posts:
    30
    Location:
    Sydney, Australia
    Hey,

    I'm fairly new to this whole forum thing but am in desperate need of help. I have recently been experiencing real problems with an apparent virus called Backdoor.Beasty.Family. I used to have Nortons 2005 installed and everytime i would right click on a file or icon, it would come up with a warning saying that the virus had been detected and removed but this would occur 4 or 5 times everytime i right clicked so obviously not gone.

    When i disabled Nortons and right clicked, i obviously no lnger got the warning but the firewall would ask to allow MSN Messenger access to the net when i had not attempted to run Messenger.

    I have run about 8 different online scans along with a Nortons scan in safe mode as recommended on the Symantec website to no avail. None of the file names they said to look for in the registry were there either.

    I have since uninstalled Nortons and installed PC-Cillin instead only to find that the same thing happens when I right click except this time i get the warning message from PC-Cillin and it says it has quarantined it but cannot remove it. I have run a TDS-3 scan which others have told me seems normal.

    I just don't know where to go with this oneo_Oo_O I am thinking that the only way to get rid of it is to wipe my harddrive and start again but i really don't want to do that.

    Does anyone out there know how to get rid of Backdoor.Beasty.Familyo_O??
    I would be eternally grateful.

    Regards,

    Dan (Sydney, Australia)

    PS: I have tried two ther forums and their suggestions have not got rid of it as yet. They seem out of ideas. Just wondering if new blood and a new outlook may help me?
     
  2. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
  3. Dan1975

    Dan1975 Registered Member

    Joined:
    Feb 9, 2005
    Posts:
    30
    Location:
    Sydney, Australia
    Yeah,

    Sounds exactly like that, but that problem also seems unresolved in the end. I have tried everything that has been suggested to me and others so far and still have this thing. I am willing to go over it all again if necessary but as yet none of the recommended processes are able to get rid of it.

    I just don't understand how a virus that Norton themselves say has been around since 2003 is unable to be deleted by Nortons AV 2005? It can detect it but not remove it. Whats all that about? What is the point of these AV programs if none of them are able to remove the virus?

    If anyone knows of any process or an AV program that is up to the job i would love to hear about it.
     
  4. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    TDS-3 updated should detect it, why dont you try running both TDS and AV scanner in Safe Mode :)

    PG will block the injection too, if you take the time to set it up and/or get us to help you
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
  6. Dan1975

    Dan1975 Registered Member

    Joined:
    Feb 9, 2005
    Posts:
    30
    Location:
    Sydney, Australia
    Thanks for the link to the Symantec website but i have already tried everything they instructed to do and still have the same problem. I am currently running a TDS-3 scan to see if that picks up anything but I have run two of them before and both came back with nothing.
     
  7. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    can you tell me the exact paths and filenames of the infected ones
    check your NAV reports for them


    i was thinking, that this is a similar case as in that dslr thread
    > an adware parasite, instead of tatayes child. especially the right click syndrome points to it.. the real beast has nothing to do with that

    check this:

    http://www.doxdesk.com/parasite/FavoriteMan.html


    try this to remove it:
    • Download, install, update, configure, and run Ad-Aware SE Personal 1.05.
      • Download Ad-Aware SE Personal 1.05:
      • Install Ad-Aware SE Personal 1.05:
        • Double-click on aawsepersonal.exe to install the program.
        • Follow the default settings for installation.
        • After the program has finished installing uncheck the "Perform a full system scan now", "Update definition file now", and "Open the help file now" boxes.
      • Update Ad-Aware SE Personal 1.05:
        • Double-click the Ad-Aware SE Personal icon on your desktop.
        • Click "Check for updates now" then click "Connect".
        • It will check for any updates. If any are found click "OK" to download and install the updates. Once it has finished click "Finish".
      • Configure Ad-Aware SE Personal 1.05:
        • Click on the Gear button at the top of the window.
        • Click "General" on the left hand side to display the General Settings box.
          • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
            • "Automatically save logfile"
            • "Automatically quarantine objects prior to removal"
            • "Safe Mode (always request confirmation)"
            • "Prompt to update outdated definitions" - change to 7 days from the default 14.
        • Click "Scanning" on the left hand side to display the Scan Settings box.
          • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
            • "Scan within archives"
            • "Select drives & folders to scan" - select your hard drive(s).
            • "Scan active processes"
            • "Scan registry"
            • "Deep-scan registry"
            • "Scan my IE favorites for banned URLs"
            • "Scan my Hosts file"
        • Click "Advanced" on the left hand side to display the Advanced Settings box.
          • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
            • "Move deleted files to Recycle Bin"
            • "Include additional object information"
            • "Include negligible objects information"
            • "Include environment information"
        • Click "Defaults" on the left hand side to display the Default Settings box.
          • Make sure these items have your preferred settings in them.:
            • "Default homepage"
            • "Default searchpage"
        • Click "Tweak" on the left hand side to display the Tweak Settings box.
          • Click the + (plus) sign next to the Log Files section. This will expand the section.
          • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
            • "Include basic Ad-Aware settings in log file"
            • "Include additional Ad-Aware settings in log file"
            • "Include reference summary in log file"
            • "Include alternate data stream details in log file"
          • Click the + (plus) sign next to the Scanning Engine section. This will expand the section.
          • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
            • "Unload recognized processes & modules during scan"
            • "Scan registry for all users instead of current user only"
            • "Obtain command line of scanned processes"
          • Click the + (plus) sign next to the Cleaning Engine section. This will expand the section.
          • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
            • "Always try to unload modules before deletion"
            • "During removal, unload Explorer and IE if necessary"
            • "Let Windows remove files in use at next reboot"
            • "Delete quarantined objects after restoring"
        • Once you are done with these settings, click "Proceed" to save them.
        • This will take you back to the main screen.
      • Run Ad-Aware SE Personal 1.05:
        • Click the "Start" button.
        • Uncheck the "Search for negligible risk entries" entry.
        • Choose the "Use custom scanning options" scan mode.
        • Click the "Next" button.
        • Ad-Aware will begin to scan for malware residing on your computer.
        • Allow the scan to finish.
        • Right-click on any entry in the list and click "Select All" to select the whole list.
        • Click "Next" and choose "OK" at the prompt to quarantine and remove the objects.


    a hint: disable norton while scanning with adaware

    repeat the scan in safe mode
    Starting your computer in Safe mode


    cheers and good luck
     
    Last edited: Feb 9, 2005
  8. Dan1975

    Dan1975 Registered Member

    Joined:
    Feb 9, 2005
    Posts:
    30
    Location:
    Sydney, Australia
    Had a look at that link but not sure if it sounds like my problem. My IE doesn't really seem to be affected at all and I don't have any popups or anything like that.

    I only get problems when i right click on files or on icons. I just get the warning coming up as explained before. If i disable the AV programs, then obviously i get no warning but the right click menu takes an excessive amount of time to come up and the computer seems to be doing something. Occasionally, the firewall will also ask to allow MSN Messenger access to the net when I have right clicked something totally unrelated to MSN Messenger.

    I have just run another TDS-3 scan which came back clean and had no alerts at all. I am now running another Adaware SE scan as suggested to see if that picks it up. Not very confident in it as I have done it twice before and come back clean but this is with different settings as described above. We'll see what happens.
     
  9. Dan1975

    Dan1975 Registered Member

    Joined:
    Feb 9, 2005
    Posts:
    30
    Location:
    Sydney, Australia
    OK, just finished another Adaware SE scan which only came back with some cookies which i deleted but still the problem persists.

    This thing somehow seems to be able to be missed by every scan that i perform yet is apparently activated and detected every time i right click. I don't know what is happening.
     
  10. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    Hi try following these instructions.

    Basic instructions for removing Trojans, stubborn viruses etc;

    1. Update windows and security software.

    2. Disable system restore.

    3. Boot into safe mode.

    4. Run security apps (Anti; virus, Trojan, Spyware etc.)

    5. Delete any problems.

    6. Boot normally.

    It should then be clean if not;

    Extended options,

    1. If you know the name of the virus, Trojan etc, research on web for removal advice.

    2. If the infected file has been identified, try to delete it manually. (Check the file name first, makes sure it’s not a legitimate file.)

    3. Perform on line AV scan with a different AV to the 1 you regularly use.

    4. Make a note of the running processes from task manager, research any that are not familiar HERE . (Look very carefully, some are almost identical to the real processes, e.g.; Iexplore, lexplore. the latter is an L.)

    5. Look in the windows Event viewer for errors, it can point to the area/file that is having problems.

    6. Scan with HiJackThis, post log file at forum that does analysis.

    7. Perform System file check. (Windows CD > CDROM drive, click start > run, type in CMD, when window opens type in "sfc /scannow will replace any changed/damaged system files with a clean copy.)
     
  11. Dan1975

    Dan1975 Registered Member

    Joined:
    Feb 9, 2005
    Posts:
    30
    Location:
    Sydney, Australia
    OK, i've tried most of those things to no avail but i'll try some of the other stuff and see how i go. Gotta get some sleep now so i'll try and work on it tomorrow. By all means, if anyone has any new suggestions i am all ears.

    Thanks,

    Dan.
     
  12. Dan1975

    Dan1975 Registered Member

    Joined:
    Feb 9, 2005
    Posts:
    30
    Location:
    Sydney, Australia
    Well, it looks as though Backdoor.Beasty.Family has won the battle. I think I am just going to reformat my hard drive in the next couple of days and be done with it. This seems like the only difinitive way of removing it for sure since no scanners are able to remove it.

    Thankyou to everyone for your ideas and input but i have spent too long on a problem which seems as though it cannot be remedied.

    Score check:
    Backdoor.Beasty.Family - 1
    Me - 0
     
  13. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    One last thing which is pretty quick, do you have another clean PC with an up-to-date anti-virus on it? If so, slave your hard drive off this machine and run a scan that way, by this I mean unplug the CDROM cable and run it solely on that cable.

    Let us know how you go...

    Cheers :D
     
  14. Dan1975

    Dan1975 Registered Member

    Joined:
    Feb 9, 2005
    Posts:
    30
    Location:
    Sydney, Australia
    Unfortunately i only have the one computer. It looks to me like reformatting is going to be the only way to rid me of this thing. Luckily, i have partitioned the hard drive and am moving as much safe stuff to the F drive as i can to minimise the inconvenience it will cause.

    Once again, thanks to everyone for everything. It is good to know that there is good support out there when needed but it looks as though the bad guys have won this one.
     
  15. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Ok, when you get to this point, formatting can be the quickest option. You may want to take a look HERE regarding security setups, as well there are discussions HERE and even more HERE.

    Hope this helps....

    Cheers :D
     
  16. Big D1

    Big D1 Registered Member

    Joined:
    Aug 20, 2004
    Posts:
    68
    I would not give up yet. Have you tried Trojan Hunter? If not, download a 30 day free trial. It's supposed to be able to clean parasitic trojans from the Beast family, and that's what you have. TH claims that their program is the only one on the market that can clean parasitic trojans.

    http://www.trojanhunter.com/papers/thvsbeast/
     
  17. Dan1975

    Dan1975 Registered Member

    Joined:
    Feb 9, 2005
    Posts:
    30
    Location:
    Sydney, Australia
    OK, Tried TrojanHunter just for fun and guess what. Came back negative. TrojanHunter found nothing either. I don't know how i got it or where it came from but this thing is unstoppable. Time to give up. :mad:
     
  18. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Have you tried uninstalling Norton and reinstalling it, I'm beginning to wonder if infact you are infected or it is a case of Norton being corrupt.

    Cheers :D
     
  19. Dan1975

    Dan1975 Registered Member

    Joined:
    Feb 9, 2005
    Posts:
    30
    Location:
    Sydney, Australia
    Nortons has been completely removed and I am now running PC-Cillin instead as I thought it may have been Nortons too. Now I am getting the same thing happening with Pc-Cillin. It says it has detected it and was unable to remove it and has quarantined it.

    I should send you this computer as a test case. Seems like nothing we do can get rid of this virus. We could hold a virus killing competition to get rid of it??
     
  20. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
  21. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    OK I agree with Craig but with more addition. Please try UnHackMe to see if there are any hidden Trojans around http://www.greatis.com

    If you do have to reformat, after install, please also put in place a good back up regime as this can take a lot of the heartache out of situations such as this and IMHO forms a very important part of a layered defence.

    Take a look at the Acronis forums here for help regarding back ups.

    Best og luck, Pilli :)
     
  22. Dan1975

    Dan1975 Registered Member

    Joined:
    Feb 9, 2005
    Posts:
    30
    Location:
    Sydney, Australia
    Just tried UnHack Me and it found nothing. I had a look at Killbox but I am unable to correctly identify the file name of where this thing is so am unable to delete it. Is that what Killbox needs? From looking at it, you have to give it a file to delete and that is all it does but I am unable to locate the file to kill so not sure what to do there?

    When i get the right click problem, it seems to change everytime where it says the virus is. After only one right click, there about 60 files quarantined.

    Then the same thing happens and another 60 or so files will be quarantined and they are different to the others?
     
  23. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Dan1975,

    Try this for me:
    Click Start > Run > type or copy&paste the part in bold:
    regedit /e c:\rightclick.txt "HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers"
    > OK

    That will create the file c:\rightclick.txt
    Post the content of that file please.

    Regards,

    Pieter
     
  24. Dan1975

    Dan1975 Registered Member

    Joined:
    Feb 9, 2005
    Posts:
    30
    Location:
    Sydney, Australia
    Do you guys have much faith in these programs that apparently take a snapshot of your harddrive that you can restore to if anything goes wrong. I think there may be one called Go Back or something similar. I was thinking of getting one when i do a clean install and was wondering if you recommend them or something similar so that i can try and avoid these problems again.
     
  25. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    If you can hang fire for a second, we have a few specialists looking at your thread, and there would be quite a few AV and AT companies that no doubt would like to get hold of a sample of this thing.

    Cheers :D
     
Loading...
Thread Status:
Not open for further replies.