Variant: Backdoor.Dalsk
Operating Systems Affected: Windows 2000, Windows 9x, Windows Me, Windows NT, Windows Server, Windows Vista, Windows XP, Windows 7
Backdoor.Dalsk is a newly discovered Trojan horse (Dec. 30, 2010) that opens a backdoor which in turn gives remote access and possibly full admin control on the infected system. The one responsible for the Trojan may perform the following actions: download files, capture image screenshots, creates, edit and/ or delete user accounts, services, files, etc…
What’s a Backdoor?
A backdoor [computer system] is a method of bypassing normal authentication, securing remote access to a computer, obtaining access to plaintext, and so on, while attempting to remain undetected [Source: Wikipedia]
Here’s how to remove Backdoor.Dalsk manually:
• Temporarily disable system restore (Windows ME/ XP) - Click Start, right-click My Computer then click Properties. Click the System Restore tab, select Turn off System Restore or Turn off System Restore on all drives check box. Click OK.
• Reboot and login under safe mode with networking – While booting, press and hold the F8 Key.On the Windows Advanced Options Menu use arrow keys to move and choose Safe Mode with Networking then press Enter key.
• Show hidden files and folders – Open My Computer, click Folder Options and choose View Tab. Tick Show hidden files and folders, tick hide protected operating system files.
• Navigate and delete the following registry values: - Click Start, run, then type regedit.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\incs
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\ipcdr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irpfit
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ScardClt
{Disclaimer: Registry modification is done at your own risk. Backup the registry before making any changes!}
• Navigate and delete the following Backdoor.Dalsk created files:
%System%\Setup\wuauclt1.exe
%System%\rshx16.bak
%System%\rshx16.dll
%System%\Setup\hid32.log
%System%\scardclt.exe
%System%\drivers\ipcdr.sys
%System%\drivers\ipcdr.bak
%System%\ntmsapi16.dll
%System%\igxpgb32.dll
%System%\drivers\irpfit.sys
%System%\drivers\irpfit.bak
%System%\hid32.dll
%System%\hid32.bak
%System%\incs.exe
%System%\msvfw16.dll
%System%\dmome.dll
• Re-enable system restore (Windows ME/ XP) - Click Start, right-click My Computer, then click Properties. Click the System Restore tab, clear the Turn off System Restore or Turn off System Restore on all drives check box.Click OK.
• Restart and boot under normal mode
• Update AV definition files
• Run Anti-Virus full system scan