Jump to content

Recommended Posts

About 5 days ago, after restoring my computer from a backup image and transfering some music on my external hard drive back to the computer (the music wasn't included in the backup image), Norton, while running a scan, flagged an MBAM temp file as Backdoor.Darkmoon. I made sure the digital signature of the installer was verified so I know it wasn't a rouge that really was malicious. Unfortuanately, I do not have access to said file, as even after I restored it and added an exclusion for it (so that I could send it if necessary), the file got deleted anyway since it was a temp file. I do however, have the file hash (pain in the rear to type a file hash exactly right!) and the following information:

EDIT: Please note, this was with the current stable release of MBAM, 1.75.

 

File Thumbprint - SHA: 2effc324c90888f9bebb96f1b2798e3747547d5706c01b6b95de7e3bb71313b5

Filename: 00006783.tmp

Threat name: Backdoor.Darkmoon

Full Path: C:\Program Files\Malwarebytes' Anti-Malware\00006783.tmp

Threat type: Virus. Programs that infect other programs, files, or areas of a computer by inserting themselves or attaching themselves to that medium.

 

Details: Very few users (less than five computers have seen this file), Very New (seen less than one week ago), Risk High

 

Origin: Downloaded from: Unknown.

Source: external media

Source file: 00006783.tmp

 

On computers as of: 2/9/2014 at 5:32:10 PM

Last Used: 2/9/2014 at 5:34:13 PM

 

Startup Item: No

Launced: No

 

Activity: Actions performed: 3

Infected file: C:\Program Files\Malwarebytes' Anti-Malware\ 00006783.tmp Removed

 

Registry Actions

Registry change: HKLM\System\CurrentControlSet\Services\RpcSs\Parameters->ServiceDLL:%SystemRoot%\system32\ rpcss.dll Repaired

Registry change: HKLM\System\ControlSet001\Services\RpcSs\Parameters->ServiceDLL:%SystemRoot%\system32 rpcss.dll Repaired

Link to post
Share on other sites

  • Root Admin

Not sure as no .tmp file belongs in our folder.  You may want to double check with one of the Experts to ensure nothing else is going on there.

 

I would suggest following the advice from the topic here Available Assistance for Possibly Infected Computers and having one of the Experts assist you with looking into your issue.


Thanks

Link to post
Share on other sites

Hi Ron,

 

Thank you for the information. Although at first I thought it may have been an F/P, now I am a little on the concerned side. However, as soon as I got all the information about the file (that I posted above), I began a full wipe of both my computer's hard drive, and my external hard drive, doing at least 3 passes on the computer's hard drive and 1 pass on the external hard drive, not as in a format from the Windows disk, but booting into Acronis TrueImage from the CD, and overwriting all data with 3 passes on the computer's drive and one pass on the external hard drive; just to be on the safe side. Do you think that should have been enough if there was indeed a backdoor or file infector on my system? (I know a lot of times it is recommended to reinstall Windows if a file infector or backdoor is found).

 

Thanks,

Weyoun

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.