1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

backdoor.montp virus

Discussion in 'Virus & Other Malware Removal' started by bbyboop1977, Apr 17, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. bbyboop1977

    bbyboop1977 Thread Starter

    Joined:
    Nov 23, 2003
    Messages:
    119
    Norton picked up saying that I had a virus a couple days ago, but after I restarted my computer it didn't find it. But was there anything else that downloaded with it. I read somewhere that if you had that virus it goes in to a folder called lslt and it it in the system32 folder. I looked at it and it has a whole bunch of my information. Is it safe or do I need to delete it. Thanks.
     
  2. buckaroo

    buckaroo

    Joined:
    Mar 25, 2001
    Messages:
    3,334
    :confused: I couldn't find anything on this virus on Symantec's site.
     
  3. xgerryx

    xgerryx

    Joined:
    May 16, 2003
    Messages:
    4,092
  4. buckaroo

    buckaroo

    Joined:
    Mar 25, 2001
    Messages:
    3,334
    :eek: Saw that listing but missed that entry. Now I see it.

    Thanks xgerryx. (y)
     
  5. bbyboop1977

    bbyboop1977 Thread Starter

    Joined:
    Nov 23, 2003
    Messages:
    119
    Okay well this is what someone said about it so I don't know.

    The problem is that backdoor.montp brings that executable with it, the executable does indeed change its name each time you boot. And if it is the same executable that came with it on my machine, it harvested all your PTR passwords and user names along with most every other website user name and password you have and put them into a text file in windows/system32/lslt and then transmitted it to somebody in the background over the internet connection.

    My Norton firewall caught it trying to transmit and shut down the transmission.

    You can only find the folder in system32 in safe mode, the executable cloaks it in normal mode from all attempts to find it. When in safe mode, check system32 for that folder and open it. There will be a text file there, open it and see what it says.

    It also writes it startup to system restore so I would advise disabling that while you are cleaning it. One of my spyware/trojan killers found evidence of it still there even after cleaning. Got rid of that too.

    Again, backdoor.montp simply seems to be the entry point for the trojan that comes with it. That trojan is bad news and seems specifically intended to harvest ptr user names and passwords, probably for hijacking peoples accounts.

    If you don't have a firewall or it was not set to stop outbound transmissions such as this you had better change all your passwords.

    THIS THING IS BAD NEWS. Nortan seems clueless as to what it is really capable of or that it brings this cargo with it. When Nortan scans in safe mode it will actually report that it is the trojan exe that is infected with backdoor.montp.

    What my concern is though also is about the lslt folder that is holding a lot of person information on it. I don't know if that is safe or not?
     
  6. xgerryx

    xgerryx

    Joined:
    May 16, 2003
    Messages:
    4,092
    Hello Buckaroo
    I only found by using google toolbars highlighter

    Cheers
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/221378

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice