Trojan that can't be detected

2006-09-06 10:52:43

#1

rh27: Not really a Brit; +51|6605|England

I haven't had a helpful response on any specialist forums, so maybe someone here can help.

I ended up with a trojan. So I rebooted in safe mode, and ran AVG, Ewido, Spybot and Ad-aware.
Then ran hijackThis and got rid of some bad registry entries.

But, even though stuff was detected and deleted, the trojan keeps coming back, despite me not visiting any websites.

All of the programs had the latest updates, so any idea how I can get rid of this. Preferably without a re-format, I can't afford to lose my computer for a day just yet.

2006-09-06 10:54:52

#2

King_County_Downy: shitfaced; +2,791|6606|Seattle

have you tried etrust AV by computer associates?? It's the best out there for detecting wildcard viruses

http://www3.ca.com/securityadvisor/virusinfo/scan.aspx go here, reboot, let it scan and cure your infected files.

Last edited by King_County_Downy (2006-09-06 10:56:41)

Sober enough to know what I'm doing, drunk enough to really enjoy doing it

2006-09-06 16:47:18

#3

Viper007Bond: Moderator Emeritus; +236|6814|Portland, OR, USA

Backup and format. Easiest way.

https://bf3s.com/sigs/044900892044e7fc95e599e832a086ae9bcd7efb.png

2006-09-06 16:48:09

#4

King_County_Downy: shitfaced; +2,791|6606|Seattle

lol, you never try to fix the problem do you Viperbond?

Sober enough to know what I'm doing, drunk enough to really enjoy doing it

2006-09-06 16:51:47

#5

RedneckSloth: Member; +12|6603|MI

If it changes your homepage you might want to try cool web shredder worked for me.
http://www.softpedia.com/get/Internet/P … dder.shtml

2006-09-06 16:57:22

#6

crimson_grunt: Shitty Disposition (apparently); +214|6663|Teesside, UK

You may have already tried this but I've seen windows restore instantly recreate viruses on a couple of machines. Go to Control panel, system tools, system restore and then tick the box to switch system restore off. Then do the virus checks etc.

Good luck!

edit:damn my bad spelling

Last edited by crimson_grunt (2006-09-06 16:58:06)

2006-09-06 16:59:30

#7

Ilocano: buuuurrrrrrppppp.......; +341|6676

Could be the new zCodec Trojan floating around. Been downloading pron lately?

Check out this article http://www.techworld.com/security/news/ … ewsID=6781 and download Panda's software to remove it.

2006-09-06 17:01:33

#8

TheEternalPessimist: Wibble; +412|6629|Mhz

crimson_grunt wrote:
You may have already tried this but I've seen windows restore instantly recreate viruses on a couple of machines. Go to Control panel, system tools, system restore and then tick the box to switch system restore off. Then do the virus checks etc.

Good luck!

edit:damn my bad spelling

QFT, system restor is handy but a damn secirty risk too. what i would say is disable system restore and restart ur pc, thatll wipe all the backups off ur pc, then scan and stuff. then u can turn system restore back on if you want to.

tbh lazy as it is, format and re-install is usually faster than fixing the problem

2006-09-06 17:02:03

#9

nodehopper: Member; +56|6641

I gotta agree with Viper. Once I realized Windows is like a paper cup. You use it till it gets soggy then throw it away and get a nice new one. I have spent days trying to track down a corrupt .dll or broken registry entry. Then I got smart ....realized Windows is disposable and now I just reformat and reinstall and can get it done in like 4 hours.

I set up an OS hard drive and a second STORAGE drive. Save everything to the storage drive and then when I need to reinstall all my data is still there. Just make a folder on the storage drive with all your drivers, patches, DirectX 9c installer, program installers ...etc so it is all there when you need them for the fresh install of Windows. You will spend less time tearing your hair out and end up with a much better running computer.

Last night I reformatted and reinstalled Windows, then installed BF2, Then Special Forces and finally the full 1.4 patch. Bf2 is now running great and if it crashes I know it is either the patch or the server....not my machine.

Or just install Ubuntu Linux and stay virus free although gaming on Linux is pretty lame :-(

Edit: one last thought. If you reformat, make sure you also reformat the MBR (Master Boot Record) it is the very first track the computer reads on the Hard Drive (it is where the HD stores information like what kind of HD it is and where the OS resides). There have been a few really nasty Trojans / Virus that write themselves on the MBR. This means even if you reinstall they will come back. Just Google "format MBR" and you should find lots of tutorials on formatting the MBR. That COULD be why none of the AV programs are seeing it!

Last edited by nodehopper (2006-09-06 17:16:31)

2006-09-07 03:15:16

#10

Viper007Bond: Moderator Emeritus; +236|6814|Portland, OR, USA

King_County_Downy wrote:
lol, you never try to fix the problem do you Viperbond?

Just seems silly when formatting is pretty easy and should be done from time to time anyway.

2006-09-07 03:19:22

#11

Obiwan: Go Cards !!; +196|6703|The Ville

I did a system restore and that got rid of one lol, who would have ever thought ?

2006-09-07 08:32:33

#12

King_County_Downy: shitfaced; +2,791|6606|Seattle

Viper007Bond wrote:
King_County_Downy wrote:
lol, you never try to fix the problem do you Viperbond?
Just seems silly when formatting is pretty easy and should be done from time to time anyway.

True dat-

I just have so many programs on my home computer that if I ever reformatted, I'd lose almost of all of them. I "fix" computers for a living and reformatting is almost never an option. There's always a way to fix it if you have the right tools at your disposal. I've never seen a virus/trojan/worm/adware/spyware/malware that I couldn't "fix".

Oh and System Retore is the Devil. Turn it off, leave it off.

Sober enough to know what I'm doing, drunk enough to really enjoy doing it

2006-09-07 09:26:59

#13

X3M*Selkie: Member; +13|6586|Belgium

You can try the online virus scanner from Trend Micro.
www.antivirus.com gets you to the local server. You'll find housecall in the home section.
It also has a virus dictionary with explanations how to tweak files and registry to get rid of some malware/virusses.

2006-09-07 09:31:53

#14

Vilham: Say wat!?; +580|6775|UK

Run an anti virus check on it, find its name and directory most likely embeded in a windows file.

The next bit might not be exactly right windows told me to do something like this:

Get your windows CD
Run in boot mode
Type in some commands
Then type the delete command

No Virus software can remove embeded virus's. What ive said is roughly what you do, so now if you see an explaination like this you will know that its correct. Sorry i couldnt give you the exact process or a link.

2006-09-07 09:34:42

#15

King_County_Downy: shitfaced; +2,791|6606|Seattle

Vilham wrote:
Get your windows CD
Run in boot mode
Type in some commands
Then type the delete command

lmao!!! You sir, just earned a karma point from me (as soon as I get one from the bank of chuy). That's the best thing I've heard in a long time!

Sober enough to know what I'm doing, drunk enough to really enjoy doing it

2006-09-07 09:34:53

#16

JeeSqwat: Tactical Specialist; +41|6738|Canada

nodehopper wrote:
I gotta agree with Viper. Once I realized Windows is like a paper cup. You use it till it gets soggy then throw it away and get a nice new one. I have spent days trying to track down a corrupt .dll or broken registry entry. Then I got smart ....realized Windows is disposable and now I just reformat and reinstall and can get it done in like 4 hours.

I set up an OS hard drive and a second STORAGE drive. Save everything to the storage drive and then when I need to reinstall all my data is still there. Just make a folder on the storage drive with all your drivers, patches, DirectX 9c installer, program installers ...etc so it is all there when you need them for the fresh install of Windows. You will spend less time tearing your hair out and end up with a much better running computer.

Last night I reformatted and reinstalled Windows, then installed BF2, Then Special Forces and finally the full 1.4 patch. Bf2 is now running great and if it crashes I know it is either the patch or the server....not my machine.

Or just install Ubuntu Linux and stay virus free although gaming on Linux is pretty lame :-(

Edit: one last thought. If you reformat, make sure you also reformat the MBR (Master Boot Record) it is the very first track the computer reads on the Hard Drive (it is where the HD stores information like what kind of HD it is and where the OS resides). There have been a few really nasty Trojans / Virus that write themselves on the MBR. This means even if you reinstall they will come back. Just Google "format MBR" and you should find lots of tutorials on formatting the MBR. That COULD be why none of the AV programs are seeing it!

best idea...this guy is smart take his advice

2006-09-07 11:15:35

#17

rh27: Not really a Brit; +51|6605|England

Sorted it. Did a search for it and found it.

The offending processes were winrnt32.dll and pmnll.dll, downloaded by the win32/nebuler.O virus.

If anyone else gets a similar problem, I fixed it by running process explorer, killing all instances of both dll's. Then using KillBox to delete them on start-up.
Ran HijackThis and deleted the registry entries for the 2 files as well.

It should be done in safe mode, but the virus was stopping me getting into safe mode by restarting the computer everytime I tried. So after I did it initially, I restarted in the now-working safe mode and went through the steps again.

2006-09-07 11:43:04

#18

PuckMercury: 6 x 9 = 42; +298|6536|Portland, OR USA

nodehopper wrote:
I gotta agree with Viper. Once I realized Windows is like a paper cup. You use it till it gets soggy then throw it away and get a nice new one. I have spent days trying to track down a corrupt .dll or broken registry entry. Then I got smart ....realized Windows is disposable and now I just reformat and reinstall and can get it done in like 4 hours.

I set up an OS hard drive and a second STORAGE drive. Save everything to the storage drive and then when I need to reinstall all my data is still there. Just make a folder on the storage drive with all your drivers, patches, DirectX 9c installer, program installers ...etc so it is all there when you need them for the fresh install of Windows. You will spend less time tearing your hair out and end up with a much better running computer.

Abso-freakin-lutely. I've tried and tried to get people to realize that, but no one ever listens.

I know you said you wanted to avoid a format/reload, but if the thing is being this persistent - I don't see another viable option for truly getting rid of it. You'll get a system down and as nodehopper said be up and going in 4 hours or less - depending on your load-out and definition of "up and going". You'll be back in a bare-bones Windows install in under an hour.

2006-09-07 12:15:21

#19

Kmar: Truth is my Bitch; +5,695|6610|132 and Bush

Well you got something real nasty .. if AVG or hijack this didnt fix it. Can you give us more info on the trojan?

I suggest getting a program that can take an image of your disc for the future as well. I use Norton Ghost. The version I use is very light. No installing just runs off 2 dvd's. It's easier than a bare bones format.

Last edited by Kmarion (2006-09-07 12:17:29)

Xbone Stormsurgezz

2006-09-14 04:02:45

#20

Cold Fussion: 72% alcohol; +63|6677|Sydney, Australia

Download NOD32.

2006-09-14 05:03:09

#21

Vilham: Say wat!?; +580|6775|UK

http://www.symantec.com/security_respon … mp;tabid=3

thats the link that is how u get rid of them safely without using downloaded software.

# Insert the Windows XP CD-ROM into the CD-ROM drive.
# Restart the computer from the CD-ROM drive.
# Press R to start the Recovery Console when the "Welcome to Setup" screen appears.
# Select the installation that you want to access from the Recovery Console.
# Enter the administrator password and press Enter.
# Type cd system32
# Press Enter
# Type del [TROJAN FILE NAME]
# Press Enter
# Type exit
# Press Enter. The computer will now restart automatically.

Last edited by Vilham (2006-09-14 05:03:36)

2006-09-14 05:37:15

#22

aardfrith: Δ > x > ¥; +145|6801

I'm a bit late asking this but if you have a trojan that can't be detected, how do you know you've got it?

2006-09-14 05:40:28

#23

Vilham: Say wat!?; +580|6775|UK

aardfrith wrote:
I'm a bit late asking this but if you have a trojan that can't be detected, how do you know you've got it?

just run as many virus checks as u can. these are what i used

Norton 2003
Ad-aware
ewido anti spyware

I finally found 2 trojans and deleted them with ewido. I would have used the Norton method but didnt have a CD for XP that would boot up and work.

2006-09-14 06:33:27

#24

Mr.Pieeater: Member; +116|6633|Cherry Pie

I just got some really crappy virus or hack that changed my passord for login and deleted everything in my hotmail account, contacts and all. Does anyone have any recommendations on what to do? I have a second HD with my data and wouldn't lose much from my other HD, but I would like to try to get it back without erasing everything. Is there anything I can do?

BF2S Forums Trojan that can't be detected

crimson_grunt wrote:

King_County_Downy wrote:

Viper007Bond wrote:

King_County_Downy wrote:

Vilham wrote:

nodehopper wrote:

nodehopper wrote:

aardfrith wrote:

Board footer