Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Oct 7th, 2008, 12:12pm
   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   Weird trojan stuff..		 « Previous topic | Next topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: Weird trojan stuff..  (Read 554 times)
Ashlyn
 Guest

Email
Weird trojan stuff..
« on: Jan 26th, 2003, 6:07pm »		 Quote Quote  Modify Modify   Remove Remove
Was doing my regular delete of unwanted files, when I clicked on one (can't remember what it was) and selected "open with", then got the BIG RED SCREEN telling me that I had Backdoor.Mard Trojan in D\mirc. So I chose to disinfect it and thought it was done with. I removed and completely deleted mirc and the folder, and some left over mirc files here and there.
 
A few hours later my nightly AVG scan came on, and it found the trojan again. This time it was in c\_RESTORE and was invisible, so couldn't be disinfected or deleted. 2 more scans of _RESTORE folder and it was still there.  
 
I ran Sophos AV and it found nothing. I ran TH and it found nothing suspicious, no ports etc.
 
I ran AVG again and it found nothing!
 
So, can these things just go away, or could I have fixed it accidentally? I'm trojan illiterate. Checking for info, Sophos.com says that "Troj/Mardam attempts to gain unauthorised remote access of computers via IRC channels". I have no idea how long this thing has been sitting in my irc folder, and I haven't used irc for more than 6 months.
 
The only other info that I could find was that Mardam-Bey is the guy who made mirc and there was a variation of the Love Letter virus that sent out something from him and installed a trojan, but not this one.
 
I have no idea where this came from, I am very careful with email and don't download anything (although my kids have been playing around lately). I scan every downloaded file before opening.
 
I've also been getting an incredible amount of what I thought was spam, usually along the lines of "undeliverable" and it goes to random numbers and letters @mydomain.com. I've never had anything like these before. Could this be connected?
 
Thanks for any tips, and sorry this has been such a long post..
IP Logged
Ashlyn
 Guest

Email
Re: Weird trojan stuff..
« Reply #1 on: Jan 26th, 2003, 6:09pm »		 Quote Quote  Modify Modify   Remove Remove
I guess I should have let you know, I'm running Windows ME and use Outlook express email, but scan everything with mailwasher first (anti spam program, picks up viruses too)
IP Logged
ReGen
Veteran
*****




It's because we know, that we care.

   


Gender: male
 Posts: 685
Re: Weird trojan stuff..
« Reply #2 on: Jan 26th, 2003, 7:12pm »		 Quote Quote  Modify Modify
Ashlyn, it sounds like you had the Trojan file Backdoor.Mard on your computer which your AV has dealt with by deleting it.  
It also seems like your computer has the restore facility enabled, so when any files are deleted, a copy of that file is placed in the restore folder just in case you need to get it back.
I think this is what your AV is detecting when you do a scan. Your computer should be safe enough as long as you don’t restore the file.  
You should be able to flush the restore files if you want to, so long as you’re sure you won’t need to retrieve anything or need to wind the clock back.
If scans with your AV and AT are not flagging anything now (except for the restore), your probably OK.
The Trojan file may have never been run until your tidy up, in which case your computer would have been unaffected. Smiley
IP Logged
--
ReGen
Ashlyn
Newbie
*



OK!

   
Email

Gender: female
 Posts: 2
Re: Weird trojan stuff..
« Reply #3 on: Jan 27th, 2003, 2:03am »		 Quote Quote  Modify Modify
Thanks, and I'm praying that's the case. I've been told to reformat (by a tech friend), but I don't even know how to do that and don't want to mess with it. I can do just about anything with webpages, but not so good with the inner workings of this contraption..
IP Logged
Ashlyn
Newbie
*



OK!

   
Email

Gender: female
 Posts: 2
Re: Weird trojan stuff..
« Reply #4 on: Jan 27th, 2003, 3:59am »		 Quote Quote  Modify Modify
I just did another scan, and this time it says..
"could not scan c\_RESTORE\TEMP\A0094693.CPY. The file is corrupt"
Does that mean it's still a nasty?
IP Logged
Jamming
Stole All the Forum Stars
********




Remember when a Trojan was just for protection.

   


Gender: male
 Posts: 2039
Re: Weird trojan stuff..
« Reply #5 on: Jan 27th, 2003, 12:26pm »		 Quote Quote  Modify Modify
What that means is that a restore file  c\_RESTORE\TEMP\A0094693.CPY is corrupted.  It very well could be the bad file has your trojan within.  To disable system restore go to control panel select system properties go to the perfomance tab and select File System.  From there select the Troubleshooting tab and select  Disable System Restore.  
Reboot with system restore disabled.
 
After the reboot the go into the c\_RESTORE\TEMP\ and delete A0094693.CPY no new restore file will be made, make sure that the file is emptied from the recycle bin.  Now all you need to do is go uncheck Disable System Restore and then Reboot again.  The Nasty File should be gone forever and you now have System Restore back.
 
If you have any questions, ask before doing.  I or another will be glad to help you.  The same procedure works to get rid of virus(s) that your AV deletes that stay resident in System Restore.
« Last Edit: Jan 27th, 2003, 12:29pm by Jamming » IP Logged
Team Z Member

Servare cives, major est virtus patriae patri.
- Lucius Annaeus Seneca
I was born an American; I live an American; I shall die an American!
- Daniel Webster
redwolfe_98
Veteran
*****





   
Email

Gender: male
 Posts: 560
Re: Weird trojan stuff..
« Reply #6 on: Jan 28th, 2003, 7:00am »		 Quote Quote  Modify Modify
i would think that you could get rid of it like jammin said, turn off system restore, and then turn it back on: start/control panel/performance/system/system restore. that will dump your old restore points and so the files that are saved for that. after you do that, you can run your scanners and see what they say. i would also run disk defrag after dumping your old restore points.
IP Logged
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register