Microsoft Anti-Spyware just found trojan.backdoor.small.fb - Page 2

beyeond · #11 01-29-2006, 11:06 PM

[ QUOTE ]
[ QUOTE ]
This showed up on mine too. Any idea where it's from?

[/ QUOTE ]

The only weird link I clicked on yesterday was the facial recognition thing in OOT.

I didn't see if the MAS definitions updated yesterday--there's a chance this is something that showed up as a result of that...

scrub

[/ QUOTE ]

fwiw, I clicked that link too and no problems here..

scrub · #12 01-30-2006, 08:21 AM

[ QUOTE ]
It didn't come back for me at startup, nor did it show up on subsequent SpyBot, Ad-Aware, or KAV scans.

I'm wondering if the MAS definitions changed in a way that would cause a false positive on a common temp file...

scrub

[/ QUOTE ]

Weird. It came back again, but not after a restart or anything. I definitely didn't click on anything remotely suspect today either.

scrub

SamG · #13 01-30-2006, 03:04 PM

The trojan probably did not get fully cleaned from your system. Did you disable System Restore?

I have a 2nd computer, and it appeared there, too. Yikes.

I wonder if this is a new definition they added to MS Anti-Spyware recently, which might be why we all found the trojan at the same time.

johnnycakes · #14 01-30-2006, 03:54 PM

I've got it too!

scrub · #15 01-30-2006, 04:38 PM

[ QUOTE ]

I wonder if this is a new definition they added to MS Anti-Spyware recently, which might be why we all found the trojan at the same time.

[/ QUOTE ]

I figure it's either that or we all clicked on some bad link in OOT.

MS Anti-spyware can't find it again after it deletes it, so it's not like something that is respawning itself after every restart.

I downloaded a Trojan Scanner, and that found a "suspicious file", which I sent to the company to look at.

I'll let you know how that goes.

scrub

DQPaulie · #16 01-30-2006, 06:07 PM

I have system restore turned off, so that's not why I got it a second time. As I was searching for some info, I do believe I found a post saying it was a new addition to the MAS file list.

As far as what it is and where it comes from, I could find nothing anywhere, not even the microsoft site.

DQ

scrub · #17 01-30-2006, 06:58 PM

[ QUOTE ]
I have system restore turned off, so that's not why I got it a second time. As I was searching for some info, I do believe I found a post saying it was a new addition to the MAS file list.

As far as what it is and where it comes from, I could find nothing anywhere, not even the microsoft site.

DQ

[/ QUOTE ]

Yeah--I'm surpised at how difficult it is to find information about this. If there are so many people in one small community with this problem, it's got to be fairly widespread.

scrub

Moneyline · #18 01-31-2006, 06:30 AM

I've got it too, and I think this may be serious trouble for us since the trojan seems to specific to poker players.

I should add that yesterday I logged into every poker account that I have to count my money, and upon logging into one of the sites my firewall blocked something that came from a trojan. I can't remember which poker site it was, but we may find that the trojan was created take advantage of users of that site. I don't want to relog into all the sites to find out which site it was, but if anyone else experienced this please post what site it was so we can figure out what is going on.

goodguy_1 · #19 01-31-2006, 12:03 PM

I've removed this 3 times now using MAS. It is in the same location each time c:\documents and settings\USERNAME\Local Settings\Temp\34.tmp

Are others having the "virus" placed in the same location?

I let MAS remove it reboot and scan my system and it is clean.

I've scanned my system while leaving the "trojan" on my system with HijackThis,Norton Anti-Virus,Lavasoft's AdAware and Spybot and found no ducumentation of the virus from these other scanners.

Here's some info on it:
Cuebot Family
Win32/Cuebot Family

LSASS vulnerability was supposed remedied by Microsoft windows updates in the past. I've looked for registry settings or win directory changes that may have been altered according to this and other
documents and found nothing. Obviously if it's a new variant the trojan hides itself in other spots.

I havent gotten the virus with my usual surfing about the web. I've scanned for it after surfing typical sites for 2-3 hours.. It just may be coming from a poker site.

Either way "34.tmp" is getting replicated from what source I dont know. No other scanners are finding this so its very odd.

Right now I'm scanning again with Stinger and then pulling out the big guns with TrendMicro's sysclean with the latest lpt.185 virus patterns. TrendMicro has almost always found any serious virus for me in the past.

Why is MAS only detecting this worm? I didnt do anything last nite out of the usual ie surfing the web..usual stuff:2+2,Yahoo Finance and my usual assortment of rooms:Party Poker,EuroBet,PokerStars,DoylesRoom and Paradise.

I've scanned the specific tmp w/ NIS2006 Anti-Virus and come up with nothing. But Norton hasnt updated virus defintions in 6 days.

Going to run TrendMicro's sysclean now w/the supposed trojan still on my system and see if it recognizes it..if not just delete and hope it doesnt come back which is doubtful.

Has anyone had this bug and tried to turn system restore off before attempting to remove it w/MAS?that may work.

Or is this a false alarm..no other scanners are finding it..??

If it comes back again I'm going to disable system restore and then remove it-hopefully that will do the trick

krimson · #20 01-31-2006, 12:17 PM

I had this on both my computers as well. When I first saw this thread I was relieved because it looks widespread. Now i'm a bit uneasy about it because we seem to be the only forum discussing it (and twoplustwo is almost the top google hit).

It may just be erroneously reporting it from a heuristic scan and have to do with some image posted on oot, or some poker site's temp file. None the less I don't think it's an awful time to make some password changes.